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42 CFR Part 2 
[SAMHSA-4162-20] 
RIN 0930-AA21 
Confidentiality of Substance Use Disorder Patient Records 
AGENCY: Substance Abuse and Mental Health Services Administration, HHS. 
ACTION: Final rule. 
SUMMARY: The Department of Health and Human Services (HHS) is issuing this final rule to 
update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records 
regulations and facilitate information exchange within new health care models while addressing 
the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These 
modifications also help clarify the regulations and reduce unnecessary burden. 
DATES: Effective date: This final rule is effective [INSERT DATE 30 DAYS AFTER DATE 
OF PUBLICATION IN THE FEDERAL REGISTER]. 
FOR FURTHER INFORMATION CONTACT: Danielle Tarino, Telephone number: (240) 
276-2857, Email address: PrivacyRegulations @ samhsa.hhs. gov. 
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I. Executive Summary 

A. Purpose of the Regulatory Action 

The laws and regulations governing the confidentiality of substance use disorder records 
were written out of great concern about the potential use of substance use disorder information 
against individuals, causing individuals with substance use disorders not to seek needed 
treatment. The disclosure of records of individuals with substance use disorders has the potential 
to lead to a host of negative consequences, including: loss of employment, loss of housing, loss 
of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and 
incarceration. The purpose of the regulations at title 42 of the Code of Federal Regulations 
(CFR) part 2 (42 CFR part 2) is to ensure that a patient receiving treatment for a substance use 


disorder in a part 2 program is not made more vulnerable by reason of the availability of their 


patient record than an individual with a substance use disorder who does not seek treatment. 
Now, more than 29 years since the part 2 regulations were last substantively amended, this final 
rule makes policy changes to the regulations to better align them with advances in the U.S. health 
care delivery system while retaining important privacy protections. 


Need for Regulatory Action 





The last substantive update to these regulations was in 1987. Over the last 29 years, 
significant changes have occurred within the U.S. health care system that were not envisioned by 
the current (1987) regulations, including new models of integrated care that are built on a 
foundation of information sharing to support coordination of patient care, the development of an 
electronic infrastructure for managing and exchanging patient information, and a new focus on 
performance measurement within the health care system. SAMHSA wants to ensure that patients 
with substance use disorders have the ability to participate in, and benefit from health system 
delivery improvements, including from new integrated health care models while providing 
appropriate privacy safeguards. These new integrated models are foundational to HHS’s delivery 


system reform goals of better care, smarter spending, and healthier people. 





Legal Authority for Regulatory Action 

This final rule revises 42 CFR part 2, Confidentiality of Alcohol and Drug Abuse Patient 
Records regulations. The authorizing statute, Title 42, United States Code (U.S.C.) 290dd-2, 
protects the confidentiality of the records containing the identity, diagnosis, prognosis, or 
treatment of any patient that are maintained in connection with the performance of any federally 
assisted program or activity relating to substance abuse (now referred to as substance use 


disorder) education, prevention, training, treatment, rehabilitation, or research. Title 42 of the 


CFR part 2 was first promulgated in 1975 (40 FR 27802) and last substantively updated in 1987 
(52 FR 21796). 

B. Summary of the Major Provisions 

Proposed modifications to 42 CFR part 2 were published as a Notice of Proposed 
Rulemaking (NPRM) on February 9, 2016 (81 FR 6988). After consideration of the public 
comments received in response to the NPRM, SAMHSA is issuing this final rule amending 14 
major provisions of 42 CFR part 2, as follows: 

Statutory authority for confidentiality of substance use disorder patient records (§ 2.1) 
combines old § 2.1 (Statutory authority for confidentiality of drug abuse patient records), and 
§ 2.2 (Statutory authority for confidentiality of alcohol abuse patient records) and deleting 
references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3, as these U.S.C. sections were omitted 
by Public Law 102-321 and combined and renamed into Section 290dd-2, Confidentiality of 
records. Because SAMHSA combined former §§ 2.1 and 2.2 into § 2.1, we redesignated §§ 2.2 
through 2.5 accordingly. 

Reports of violations (§ 2.4) revises the requirement for reporting violations of these 
regulations by methadone programs (now referred to as opioid treatment programs) to the Food 
and Drug Administration (FDA) because the authority over these programs was transferred from 
the FDA to the Substance Abuse and Mental Health Services Administration (SAMHSA) in 
2001. 

Definitions (§ 2.11) revises some existing definitions, adds new definitions of key terms 
that apply to 42 CFR part 2, and consolidates all but one of the definitions that are currently in 
other sections into § 2.11 (e.g., the definition of “Minor” previously found in § 2.14(a)). We 


revised the definitions of “Central registry,” “Disclose or disclosure,” “Maintenance treatment,” 


“Member program,” “Patient,” “Patient identifying information,” “Person,” “Program,” 
“Qualified service organization (QSO),” “Records,” and “Treatment.” We also added definitions 
of “Part 2 program,” “Part 2 program director,” “Substance use disorder,” “Treating provider 
relationship,” and “Withdrawal management,” some of which replaced existing definitions. In 
addition, SAMHSA revised the regulatory text to use terminology in a consistent manner. The 
following definitions were not revised substantively: “Diagnosis,” “Informant,” “Minor,” 
“Third-party payer,” and “Undercover agent.” 

Applicability (§ 2.12) continues to apply the 42 CFR part 2 regulations to a program that 
is federally assisted and holds itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment. Most changes to the applicability of the part 2 
regulations result from SAMHSA’s decision not to finalize one of its proposed changes to the 


definition of “Program” (see § 2.11, Definitions). Whereas the NPRM definition of “Program” 





included, under certain conditions, “general medical practices” in addition to “general medical 
facilities,” the definition in this final rule is limited to “general medical facilities.” However, 
consistent with the NPRM, the definition of “Program” continues to use the term “general 
medical facility” rather than both “general medical facility” and “general medical care facility” 
that were used interchangeably in the 1987 final rule definition of “Program.” For example, an 
identified unit within a general medical facility is subject to part 2 if it holds itself out as 
providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. In 
addition, if the primary function of medical personnel or other staff in a general medical facility 
is the provision of such services and they are identified as providing such services, they are 
considered a “Program” and, thus, subject to part 2. This final rule revises § 2.12(d)(2)(i)(C) so 


that restrictions on disclosures also apply to individuals or entities who receive patient records 


from other lawful holders of patient identifying information, such that patient records subject to 
the part 2 regulations include substance use disorder records maintained by part 2 programs, as 
well as those records in the possession of “other lawful holders of patient identifying 
information.” 

Confidentiality restrictions and safeguards (§ 2.13) adds a requirement that, upon request, 
patients who have included a general designation in the “To Whom” section of their consent 
form (see § 2.31) must be provided a list of entities (referred to as a List of Disclosures) to which 
their information has been disclosed pursuant to the general designation. 

Security for records (§ 2.16) clarifies that this section requires both part 2 programs and 
other lawful holders of patient identifying information to have in place formal policies and 
procedures addressing security, including sanitization of associated media, for both paper and 
electronic records. 

Disposition of records by discontinued programs (§ 2.19) addresses both paper and 
electronic records. SAMHSA also added requirements for sanitizing associated media. 

In Section I., Notice to Patients of Federal Confidentiality Requirements (§ 2.22), 
SAMHSA clarifies that the written summary of federal law and regulations may be provided to 
patients in either paper or electronic format. SAMHSA also revised § 2.22 to require the 
statement regarding the reporting of violations include contact information for the appropriate 
authorities. 

Consent requirements (§ 2.31) permits, in certain circumstances, a patient to include a 
general designation in the “To Whom” section of the consent form, in conjunction with 
requirements that the consent form include an explicit description of the amount and kind of 


substance use disorder treatment information that may be disclosed. SAMHSA decided not to 
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finalize its proposed changes to the “From Whom” section, but did make minor updates to the 
terminology in the text. SAMHSA also revised § 2.31 to require the part 2 program or other 
lawful holder of patient identifying information to include a statement on the consent form when 
using a general designation in the “To Whom” section of the consent form that patients have a 
right to obtain, upon request, a list of entities to which their information has been disclosed 
pursuant to the general designation (see § 2.13). In addition, SAMHSA revised § 2.31 to permit 
electronic signatures to the extent that they are not prohibited by any applicable law. 

In Section K., Prohibition on Re-disclosure (§ 2.32), SAMHSA clarifies that the 
prohibition on re-disclosure only applies to information that would identify, directly or 
indirectly, an individual as having been diagnosed, treated, or referred for treatment for a 
substance use disorder, such as indicated through standard medical codes, descriptive language, 
or both, and allows other health-related information shared by the part 2 program to be re- 
disclosed, if permissible under other applicable laws. 

Disclosures to prevent multiple enrollments (§ 2.34) modernizes the terminology and 
definitions and moves the definitions to § 2.11 (Definitions). 

Medical emergencies (§ 2.51) revises the medical emergency exception to make it 
consistent with the statutory language and to give providers more discretion to determine when a 
“bona fide medical emergency” exists. 

Research (§ 2.52) revises the research exception to permit data protected by 42 CFR part 
2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 
2 program or any other individual or entity that is in lawful possession of part 2 data if the 
researcher provides documentation of meeting certain requirements related to other existing 


protections for human research. SAMHSA also revised § 2.52 to address data linkages to enable 
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researchers holding part 2 data to obtain linkages to other datasets, provided that appropriate 
safeguards are in place as outlined in section 2.52. 

Audit and evaluation (§ 2.53) modernizes the requirements to include provisions 
governing both paper and electronic patient records. SAMHSA also revised § 2.53 to permit an 
audit or evaluation necessary to meet the requirements of a Centers for Medicare & Medicaid 
Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS- 
regulated organization (including a CMS-regulated Qualified Entity (QE)), under certain 
conditions. 

The other sections in 42 CFR part 2 that are not referenced above are not addressed in 
this final rule nor were they discussed in the NPRM because SAMHSA is maintaining their 
content substantively unchanged from the 1987 final rule. 

C. Summary of Impacts 

In the first year that the final rule is in effect, we estimate that the total costs associated 
with updates to 42 CFR part 2 will be roughly $70,691,000. In year two we estimate that costs 
will be $17,680,000, and increase annually as a larger share of entities implement List of 
Disclosures requirements and respond to disclosure requests. Over the 10-year period of 2016- 
2025, the total undiscounted cost of the part 2 changes will be about $241 million in 2016 
dollars. When future costs are discounted at 3 percent or 7 percent per year, the total costs 
become approximately $217,586,000 or $193,098,000, respectively. These costs are presented in 
the tables below. 

Costs associated with the 42 CFR part 2 final rule, include: updates to health IT system 
costs, costs for staff training and updates to training curricula, costs to update patient consent 


forms, costs associated with providing patients a list of entities to which their information has 
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been disclosed pursuant to a general designation on the consent form (1.e., the List of Disclosures 
requirement), and implementation costs associated with the List of Disclosures requirements. We 
assumed that costs associated with modifications to existing health IT systems, staff training 
costs associated with updating staff training materials, and costs to update consent forms will be 
one-time costs the first year the final rule is in effect and will not carry forward into future years. 
Staff training costs other than those associated with updating training materials are assumed to be 
ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in 
effect. The List of Disclosures costs are assumed to be ongoing annual costs to entities named on 
a consent form that disclose patient identifying information to their participants under the general 
designation. Costs associated with the List of Disclosures provision are limited to 
implementation costs for entities that chose to upgrade their health IT systems in order to comply 
with the List of Disclosures requirements. Several provisions in the final rule reference other 
lawful holders of patient identifying information in combination with part 2 programs. These 
other lawful holders must comply with part 2 requirements with respect to information they 
maintain that is covered by part 2 regulations. However, because this group is not clearly defined 
with respect to the range of organizations it may include, we are unable to include estimates 
regarding the number and type of these organizations and are only including part 2 programs in 
this analysis. 

The benefits of modernizing the part 2 regulations is to increase opportunities for 
individuals with substance use disorders to participate in new and emerging health and health 
care models and health information technology (IT). The final rule will facilitate the sharing of 
information within the health care system to support new models of integrated health care which, 


among other things, improve patient safety while maintaining or strengthening privacy 
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protections for individuals seeking treatment for substance use disorders. Moreover, as patients 
are allowed, in certain circumstances, to include a general designation in the “To Whom” section 
of the consent form, we anticipate there will be more individuals with substance use disorders 
participating in organizations that facilitate the exchange of health information (e.g., health 
information exchanges (HIEs)) and organizations that coordinate care (e.g., ACOs and 
coordinated care organizations (CCOs)), leading to increased efficiency and quality in the 
provision of health care for this population. In addition, the revisions to the research provision 
(§ 2.52) will allow additional scientific research to be conducted that will facilitate continual 
quality improvement of part 2 programs and the important services they offer. 
II. Background 

A. Significant Technology Changes 

Since the promulgation of 42 CFR part 2, significant technology changes have impacted 
the delivery of health care. The Office of the National Coordinator for Health Information 
Technology (ONC) was established as an office within HHS under Executive Order 13335 on 
April 27, 2004. Subsequently, on February 17, 2009, the Health Information Technology for 
Economic and Clinical Health Act (HITECH Act) of the American Recovery and Reinvestment 
Act of 2009 (ARRA) (Pub. L. 111-5) expanded the Department's health IT work, including the 
expansion of ONC's authority and the provision of federal funds for ONC's activities consistent 
with the development of a nationwide health IT infrastructure. This work included the 
certification of health IT; the authorization of CMS’ Electronic Health Record (EHR) Incentive 
Program, including payments to eligible providers for the adoption and meaningful use of 
certified EHR technology; and numerous other federal agencies' programs—all of which served 


the objective of ensuring patient health information is secure, private, accurate, and available 
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where and when needed. SAMHSA’s role in encouraging the use of health IT by behavioral 
health (substance use disorder and mental health) providers, included: (1) collaborating with 
ONC to develop two sets of Frequently Asked Questions (FAQs) and convening a number of 
stakeholder meetings to provide guidance on the application of 42 CFR part 2 to HIE models; (2) 
a one-year pilot project with five state HIEs to support the exchange of health information 
among behavioral health and physical health providers; and (3) the Data Segmentation for 
Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework 
facilitated: 

e the development of standards to improve the interoperability of EHRs containing 
sensitive information that must be protected to a greater degree than other health 
information due to 42 CFR part 2 and similar state laws, 

e six DS4P Implementation Guide (IG) use case pilot projects including the 
Department of Veterans Affairs (VA)/SAMHSA Pilot that implemented all the DS4P 
use cases and passed all conformance tests, and 

e the development of the application branded Consent2Share, an open-source health IT 
solution based on DS4P which assists in consent management and data segmentation. 
Consent2Share is currently being used by the Prince Georges County (Maryland) 
Health Department to manage patient consent directives while sharing substance use 
disorder information with an HIE. 

Despite SAMHSA's efforts, some stakeholders continued to request modernization of 42 

CFR part 2 out of concern that part 2, as written in the current (1987) regulation, continues to be 


a barrier to the integration of substance use disorder treatment and physical health care. As noted 
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below, SAMHSA plans to release shortly an updated version of Consent2Share with improved 
functionality and ability to meet List of Disclosures requirements. 

B. Statutory and Rulemaking History 

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 
2, implement Section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, as amended by 
Section 131 of the Alcohol, Drug Abuse and Mental Health Administration Reorganization Act 
(ADAMHA Reorganization Act), Pub. L. 102-321 (July 10, 1992). The regulations were 
promulgated as a final rule on July 1, 1975 (40 FR 27802). In 1980, the Department invited 
public comment on 15 substantive issues arising out of its experience interpreting and 
implementing the regulations (45 FR 53). More than 450 public responses to that invitation were 
received and taken into consideration in the preparation of a 1983 NPRM (48 FR 38758). 
Approximately 150 comments were received in response to the NPRM and were taken into 
consideration in the preparation of the final rule released on June 9, 1987 (52 FR 21798). 

The Department published an NPRM again in the Federal Register (FR) on August 18, 
1994 (59 FR 42561), which proposed a clarification of the definition of “Program” in the 
regulations. Specifically, the Department proposed to clarify that, as to general medical care 
facilities, these regulations cover only specialized individuals or units in such facilities that hold 
themselves out as providing and provide alcohol or drug abuse (now referred to as substance use 
disorder) diagnosis, treatment, or referral for treatment and which are federally assisted, directly 
or indirectly. On May 5, 1995, the final rule was released (60 FR 22296). 

SAMHSA posted a document in the FR on May 12, 2014, (79 FR 26929) announcing a 
public Listening Session planned for June 11, 2014, to solicit feedback on the Confidentiality of 


Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 2. SAMHSA accepted written 
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comments until June 25, 2014. The Listening Session comments are posted on the SAMHSA 


Web site at http:/www.samhsa. gov/about-us/who-we-are/laws-regulations/public-comments- 





confidentiality-regulations. 





Prompted by the need to update and modernize the Confidentiality of Alcohol and Drug 
Abuse Patient Records regulations at 42 CFR part 2, on February 9, 2016, SAMHSA published 
an NPRM that proposed revisions to the part 2 regulations and requested public input on the 
proposed changes during a 60-day public comment period (81 FR 6988). Although raised in the 
Listening Session public comments, SAMHSA decided not to address issues pertaining to e- 
prescribing and Prescription Drug Monitoring Programs (PDMPs) in the NPRM because they 
were not ripe for rulemaking at the time due to the state of technology and because the majority 
of part 2 programs are not prescribing controlled substances electronically. As noted in the 
NPRM, SAMHSA intends to monitor developments in this area to see whether further action 
may be warranted in the future. SAMHSA received 376 public comment submissions on the part 
2 NPRM. The comments received were detailed, thoughtful, and reflective of the complex issues 
addressed and balanced in the part 2 regulations. This final rule reflects SAMHSA’s thorough 
consideration of all substantive issues raised in the public comments in response to its proposals 
in the NPRM. 
III. Overview of the Final Rule 

In this final rule, the Department finalizes the modifications to the Confidentiality of 
Alcohol and Drug Abuse Patient Records, 42 CFR part 2, including renaming it “Confidentiality 
of Substance Use Disorder Patient Records.” The modifications modernize the rule by 
facilitating electronic exchange of substance use disorder information for treatment and other 


legitimate health care purposes while ensuring appropriate confidentiality protections for records 
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that might identify an individual, directly or indirectly, as having or having had a substance use 
disorder. 


Overview of Public Comments 





We received 376 public comments from medical health care providers; behavioral health 
care providers; combined medical/behavioral health care providers; HIEs, ACOs, CCOs, and 
certified patient-centered medical homes (CPCMHs), sometimes called health homes; third-party 
payers; privacy/consumer advocates; medical health care provider associations; behavioral health 
care provider associations; accrediting organizations; researchers; individuals (with no stated 
affiliation); attorneys (with no stated affiliation); HIT vendors; and state/local governments. The 
comments ranged from general support or opposition to the proposed provisions to very specific 
questions or comments regarding the proposed rules. 

Some comments were outside the scope of or inconsistent with SAMHSA’s legal 
authority regarding the confidentiality of substance use disorder patient records. Likewise, other 
comments did not pertain to specific proposals made by SAMHSA in the NPRM. In some 
instances, commenters raised policy or operational issues that are best addressed through 
subregulatory guidance that SAMHSA will consider issuing subsequent to this final rule. 
Consequently, SAMHSA did not address these comments in this final rule. 

Commenters have also provided SAMHSA with informative feedback on how lawful 
holders, including third-party payers and others within the healthcare industry, use health data or 
hire others to use health data on their behalf to provide operational services such as independent 
auditing, legal services, claims processing, plan pricing and other functions that are key to the 
day-to-day operation of entities subject to this rule. We have previously clarified in responses to 


particular questions that contracted agents of individuals and/or entities may be treated as the 
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individual/entity. Questions raised by commenters during this rulemaking have, however, 
highlighted varying interpretations of the current (1987) rule’s restrictions on lawful holders and 
their contractors’ and subcontractors’ use and disclosure of part 2-covered data for purposes of 
carrying out payment, health care operations, and other health care related activities. In 
consideration of this feedback and given the critical role that third-party payers, other lawful 
holders, and their contractors and subcontractors play in the provision of health care services, 
SAMHSA is issuing a supplemental notice of proposed rulemaking (SNPRM) to seek further 
comments and information on this matter. 
IV. Effective Date 

In this final rule, SAMHSA has established a single effective date of 30 days after the 
publication of the final rule, or [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION 
IN THE FEDERAL REGISTER]. On this date, the revised 42 CFR part 2 will replace the 1987 
version of part 2 in the CFR and all part 2 programs and other lawful holders of patient 
identifying information must comply with all aspects of the regulations. In the NPRM, 
SAMHSA proposed that, with the exception of § 2.13(d), part 2 programs and other lawful 
holders of patient identifying information would have to comply with applicable requirements of 
the revised part 2 regulations beginning 30 days after the publication of the final rule. See 
Section V.D.3 below for a discussion of “other lawful holders.” We proposed that entities would 
not have to comply with the List of Disclosures requirements of § 2.13(d) until two-years after 
the effective date of the final rule. As explained below, because the right to obtain, upon request, 
a List of Disclosures is only available to patients who use a general designation in the “To 
Whom” section of the consent form, entities must only have the technical capability to provide 


the List of Disclosures if they take advantage of the general designation provision. Therefore, 
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SAMHSA has revised the effective date from that proposed to avoid confusion. However, 
signed consent forms in place prior to the effective date of this final rule will be valid until they 
expire. Nonetheless, part 2 programs may update signed consent forms consistent with the final 
rule, prior to the effective date of the final rule if they so choose. Consents obtained after the 
effective date will need to comply with the final rule, regardless of whether the consents involve 
patient identifying information obtained prior to or after the effective date of this final rule. 


Public Comments: 





One commenter urged that the final rule allow for implementation of the research 
provision (§ 2.52) immediately or shortly after the rule takes effect. Several commenters raised 
concerns about how to interpret the two-year delayed implementation of List of Disclosures and 
whether the general designation will be used during that period. 


SAMHSA Response: 





SAMHSA acknowledges commenters’ confusion regarding the proposed two-year 
delayed compliance date for the List of Disclosures requirements. After considering the public 
comments received on this point, SAMHSA realized that such a two-year delayed compliance 
date for the requirements of § 2.13(d) is not helpful. As explained in the “To Whom” section of 
the part 2-compliant consent requirements (see Section V.J.2 below), an entity that serves as an 
intermediary (e.g., HIE, ACO, CCO) must comply with the List of Disclosures provision in order 
to disclose information pursuant to a general designation provided on the consent form (see 
§ 2.31(a)(4)(i11)(B)(3)@)). Therefore, an entity that serves as an intermediary would be prohibited 
from electing to disclose information pursuant to a general designation without the ability to 
comply with the List of Disclosures requirement. It would not make sense to implement a two- 


year delayed compliance date for the List of Disclosures requirements at § 2.13(d) because the 


20 


only reason an entity that serves as an intermediary would have to comply with the List of 
Disclosures requirements would be if they wanted to disclose information pursuant to general 
designations that have been included in the “To Whom” section of the patient consent form, 
which requires alerting patients to the fact that they have a right to request a list of entities to 
which their information has been disclosed (per § 2.13(d)). Thus, an entity that serves as an 
intermediary is prohibited from disclosing information pursuant to a general designation without 
having the capability to comply with the List of Disclosures requirements. For these reasons, it is 
not advisable to include a two-year delayed compliance date for the List of Disclosures 
provision. Some entities that serve as intermediaries as described by § 2.31(a)(4)(iii)(B) may 
elect never to disclose information pursuant to a general designation and, thus, would not need to 
comply with the List of Disclosures requirement. Those that choose to disclose information 
pursuant to general designations must ensure the capability to comply with the List of 
Disclosures requirements at § 2.13(d) before they disclose the information pursuant to a general 
designation. But there is no timeframe in which they need to comply; only the condition that if 
they choose to have the option of disclosing information pursuant to a general designation on a 
consent form, they must also be capable of providing a List of Disclosures upon request per 

§ 2.13(d). 

Regarding the suggestion to allow for implementation of the Research provision § 2.52 
immediately after the final rule takes effect, SAMHSA declines to make this change. For clarity 
regarding part 2 compliance, the 1987 part 2 final rule remains in effect until the effective date 
for the 2016 part 2 regulations established in this final rule. Because of the revised definitions 
that impact the research provision, it would create unnecessary confusion to make effective 


§ 2.52 before the rest of the final rule. 
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V. Discussion of Public Comments and Final Modifications to 42 CFR part 2 

In this section of the final rule, SAMHSA explains the finalized revisions to the part 2 
regulations and responds to public comments received. If a part 2 CFR section is not addressed 
below, it is because SAMHSA did not propose changes to that part 2 provision and that this final 
rule maintains the existing language in that section. However, SAMHSA notes that in addition to 
the revisions discussed below, SAMHSA has made other technical, non-substantive, and 
nomenclature changes to various part 2 provisions. Those changes are reflected in the regulatory 
text at the end of this rule. 

A. General Comments on the Proposed Rule 


1. General Feedback on the Proposed Rule 





a. General Support for the Proposed Rule 





Public Comments: 





Many commenters expressed general support for the proposed rule, with some noting that 
the proposed rule would preserve the confidentiality rights of substance use disorder patients 
while facilitating the sharing of health information; would ensure that patients with a substance 
use disorder participate in, and benefit from, new integrated health care models without fear of 
putting themselves at risk of adverse consequences; would help reduce the stigma associated 
with substance use disorder; and would provide patients comfort in knowing they have control of 
their record. 

Several commenters expressed general support for the NPRM’s proposed part 2 changes 
to enhance integrated care and information exchange. Multiple commenters, with some stressing 
the need for patient privacy protections, suggested that integrated networks of care between 


medical and behavioral health services is current best practice and will benefit patients. Two 
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commenters implied general support. The first of these two commenters stated that the current 
practice of keeping paper substance use records separate from the EHR system increases work 
required to maintain records, creates redundancies, and could contribute to providers missing 
critical information needed for treating patients. The second commenter stated that the current 
(1987) part 2 regulations are out of step with the health care system’s rapid adoption of EHRs, its 
capacity to quickly exchange information (e.g., HIEs), the federal privacy and security 
regulations (Health Insurance and Portability and Accountability Act [HIPAA] and HITECH) 
governing these EHRs and exchanges, and the increasing treatment of patients’ substance use in 
health care systems not covered by existing part 2 regulations, but by HIPAA. 

Another commenter expressed support for the facilitation of electronic exchange of 
substance use disorder treatment information where the confidentiality protections historically 
afforded patients by part 2 are maintained. 

A few commenters stated that the proposal would help patients with substance use 
disorders benefit from emerging care models that require enhanced health information exchange 
for better care coordination (e.g., CPCMHs, ACOs). 


SAMHSA Response: 





SAMHSA appreciates the support for updating the regulations. This final rule is intended 
to modernize the part 2 regulations by facilitating the electronic exchange of substance use 
disorder information for treatment and other legitimate health care purposes while ensuring 
appropriate confidentiality protections for records that might identify an individual, directly or 
indirectly, as having or having had a substance use disorder. Many new integrated care models 
rely on interoperable health IT and these proposed changes are expected to support the 


integration of substance use disorder treatment into primary and other specialty care, improving 


pe 


the patient experience, clinical outcomes, and patient safety while at the same time ensuring 
patient choice, confidentiality, and privacy. Due to its targeted population, part 2 provides more 
stringent federal protections than most other health privacy laws, including HIPAA. 


b. General Opposition to the Proposed Rule 





Public Comments: 





Some commenters expressed general opposition to the proposed rule, with some arguing 
that it would eliminate the right of patients to protect and control personal health information; 
would introduce complexity, not simplification; and would maintain the stigma surrounding drug 
use. One commenter warned the proposed rule would create concessions to institutional 
stakeholders, both providers and researchers, who find the consent requirements inconvenient 
and burdensome. 

Many commenters requested that part 2 remain unchanged, with some stating that 
loosening part 2 regulations would dissuade substance use disorder patients from seeking help 
out of fear of how their information could be used against them or that the proposed regulations 
would not offer the intended protection. 

Some commenters asserted that maintaining a separate set of confidentiality restrictions 
aimed solely at substance use disorder providers and patients perpetuates the discrimination 
associated with substance use disorder and ultimately negatively impacts patients and the care 
they receive, suggesting that issues of substance use disorder information confidentiality should 
be part of the broader general medical care confidentiality regulations. Others argued that the 
fear of discrimination is a real problem for many individuals suffering from a substance use 


disorder and being able to receive treatment without worrying that personal information will be 
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leaked is crucial in helping these people get the help they need so that they can return to their 
communities as contributing members of society. 


SAMHSA Response: 





SAMHSA wants to ensure that patients with substance use disorders have the ability to 
participate in, and benefit from, new and emerging health care models that promote integrated 
care and patient safety while respecting the legitimate privacy concerns of patients seeking 
treatment for a substance use disorder due to the potential for discrimination, harm to their 
reputations and relationships, and serious civil and criminal consequences. This approach is 
consistent with the intent of the governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR 
part 2, which is to protect the confidentiality of substance use disorder patient records. 

SAMHSA has added more flexibility to some of the consent provisions, including a range of “To 
Whom” consent options that includes the current (1987) “To Whom” consent requirement, but 
still retained core part 2 protections, including the prohibition on re-disclosure as well as 
requiring the “Amount and Kind” section of the consent form to include how much and what 
kind of information is to be disclosed, including an explicit description of the substance use 
disorder information that may be disclosed. Changes to the research provision also enable 
patients to benefit from advanced research protocols while still complying with part 2 protections 
regarding patient confidentiality. However, with these conflicting comments, as well all other 
comments, SAMHSA was guided by the governing statute in developing the final rule, which 


restricts disclosure without consent other than under a small number of exceptions 


2. The Proposed Rule Did Not Go Far Enough to Facilitate Information Exchange 





Public Comments: 
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Several commenters suggested that the proposed part 2 revisions did not go far enough to 
facilitate information exchange and data sharing. For example, some commenters asserted that 
the proposed regulations would maintain previous barriers and create additional barriers that 
impede the sharing of information exchange and care coordination necessary to effectively treat 
patients who seek care in a variety of settings. A few commenters said the proposed part 2 
revisions go beyond the protections intended by the statutory requirements in 42 U.S.C. 290dd—2 
and suggested that the proposed changes would continue to decrease access to substance use 
disorder treatment and the achievement of positive health outcomes. 

Citing concerns about people with substance use disorders who visit multiple health care 
providers to obtain medication, one commenter advocated that substance use disorder health care 
records should be accessible to all health care facilities for the sole purpose of better treating and 
rehabilitating these patients. 

Other commenters requested further clarification on the regulations to ensure that 
coordination of care happens smoothly for all patients, especially those at the highest need of 
coordination, without unnecessary barriers. Citing a 2010 report from the President’s Council of 
Advisors on Science and Technology, a couple of commenters urged SAMHSA to initiate a 
broad conversation among other HHS agencies to develop a granular data specification standard 
that enables patients to be in full control of all their health data, not just part 2 data. 

Citing technological barriers, a commenter asserted that additional changes to part 2 are 
necessary to allow for technological solutions for sharing data. One commenter said new funding 
for HIEs permitted by recent CMS guidance could be maximized by more substantial revisions 
to part 2 that would encourage the inclusion of substance use disorder providers in HIEs. 


Expressing uncertainty as to whether data segmentation can be implemented effectively absent 
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clear standards, a commenter expressed concern the result would be a two-tier system of how 

substance use disorder data are defined both by payers and by local and state jurisdictions that 
has the effect of having substance use disorder data exchanged differently depending on if the 
patient received services within or beyond the veil of part 2 regulation. 

Some commenters suggested that the current (1987) part 2 regulation and the proposed 
revisions maintain a status quo of segregated substance use disorder information with minimal 
benefits to patients, high compliance costs, and deterrence for organizations to provide substance 
use treatment. Some of these commenters said the part 2 regulations keep the substance use 
disorder treatment system isolated from general health care providers and reduce access to 
substance use disorder treatment being added by general health care organizations, which, due to 
administrative burden and liability fears, are less likely to add substance use disorder treatment. 
A few of these commenters asserted that the part 2 regulations have unintended consequences, 
including disadvantaging persons with a substance use disorder and treatment providers because 
of the burdens associated with constantly updating expiring consents. One of these commenters 
said that the burdens caused by the part 2 regulations are particularly costly because patients with 
substance use disorder are among the highest cost utilizers in the health care system. 

Some commenters asserted that maintaining a separate set of confidentiality restrictions 
aimed solely at substance use disorder providers and patients perpetuates the stigma associated 
with substance use disorder and ultimately negatively impacts patients and the care they receive, 
suggesting that issues of substance use disorder information confidentiality should be part of the 
broader general medical care confidentiality regulations. 

Some commenters expressed concern that the proposed part 2 revisions did not address 


information exchange issues associated with specific types of health care services delivery, 
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including integrated delivery systems operating with a behavioral health organization unit or 
department; organizations that include affiliated entities, such as jointly held and operated 
hospital-based systems and health insurance plans; risk-based Medicaid managed care; social 
service programs integrated with publicly financed health delivery systems; and combined 
behavioral health service delivery. 

One commenter urged SAMHSA to include the release of previous substance use 
disorder treatment information from insurance companies to part 2 programs as disclosure 
permitted without consent under part 2. Another commenter expressed concern that SAMHSA 
did not propose an allowance under part 2 regarding appropriate disclosures by a health plan for 
the coordination of a health plan member’s care. 

Expressing concern that the proposed part 2 revisions do not address many of the issues 
on which SAMHSA has issued guidance with respect to health information networks, a 
commenter asserted that such guidance is outdated and creates unintended obstacles to the 
desired exchange of information on patients with substance use disorders. 


SAMHSA Response: 





The governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR part 2 protect the 
confidentiality of substance use disorder patient records. Consistent with the governing statute, 
SAMHSA wants to ensure that patients with substance use disorders have the ability to 
participate in, and benefit from new and emerging health care models which promote integrated 
care and patient safety while respecting the legitimate privacy concerns of patients seeking 
treatment for a substance use disorder due to the potential for discrimination, harm to their 
reputations and relationships, and serious civil and criminal consequences. Toward that end, 


SAMHSA held a Listening Session on June 11, 2014, to solicit feedback on the Confidentiality 
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of Alcohol and Drug Abuse Patient Records regulations. All the feedback received from the 
Listening Session was considered and helped to inform the development of the proposed and 
final rules. In addition, SAMHSA collaborated with its federal partner experts in developing this 
final rule. 

Information exchange is addressed in both the applicability provision (§ 2.12) and the 
consent requirements provision (§ 2.31), among other places in this final rule. SAMHSA has 
added more flexibility to the “To Whom” section of the consent form, which will give patients 
the option to release their records to past, current, and/or future treating providers. In addition, 

§ 2.13 requires a part 2-compliant consent form must list the date, event, or condition upon 
which the consent will expire, if not revoked before. Thus, it is not sufficient under part 2 for a 
consent form to merely state that that disclosures will be permitted until the consent is revoked 
by the patient. It is, however, permissible for a consent form to specify the event or condition 
that will result in revocation, such as having its expiration date be “upon my death.” The 
Applicability provision includes: “The restrictions on disclosure in these regulations do not apply 
to communications of information between or among personnel having a need for the 
information in connection with their duties that arise out of the provision of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders if the communications are 
within a part 2 program; or between a part 2 program and an entity that has direct administrative 
control over the program.” 

With this rulemaking, SAMHSA has attempted to facilitate the electronic exchange of 
substance use disorder treatment records while ensuring patient privacy. SAMHSA 
acknowledges that many EHRs and HIEs are experiencing technical barriers to segmenting or 


redacting substance use disorder treatment data. As a result, SAMHSA has spent several years 
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supporting the continued development of the Consent2Share application, an open-source health 
IT solution based on DS4P, which assists in both consent management and data segmentation. It 
is designed to integrate with existing EHR and HIE systems via the developed standards. 
Consent2Share enables electronic implementation of various sensitive health information 
disclosure policies by applying the information-sharing rules needed to constrain the disclosure 
of sensitive data according to patient preferences. SAMHSA, in conjunction with ONC and other 
federal partners, also continues to support the development of data standards and IGs to further 
reduce technical barriers in the field. 

Finally, SAMHSA has added additional information from previously issued FAQ 
guidance to the preamble discussion in this final rule, such as information about medical 
emergencies and “holds itself out,” and plans to issue additional subregulatory guidance after 
publication of the final rule. 


3. Final Rule Should Balance Patient Protections with Enhanced Information 





Exchange 


Public Comments: 





Numerous commenters emphasized that the part 2 revisions must balance patient 
protections with enhanced information exchange and data sharing. 

Some commenters suggested that patient confidentiality should not be compromised by 
any updates to the part 2 regulations, reasoning that the stigma associated with having or having 
had a substance use disorder and the fear that this information may be used against an individual 
would lead them to not seek treatment. To this end, a few of these commenters cautioned 
SAMHSA to remain diligent in the oversight of these regulations to ensure that the information 


is only being conveyed to the appropriate parties with the sole intent to improve patient care. 
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Other commenters emphasized that sharing patient information should be solely for necessary 
medical purposes. Another commenter argued that the interest in integrating mental health care 
with physical health care should not result in the erosion or elimination of the heightened privacy 
protections that are essential for effective mental health treatment. 

A few commenters urged SAMHSA to ensure that the final rule respects patient choice 
for privacy in the treatment of sensitive information like substance use disorder treatment 
records, including the right to control how their records are disclosed, even for health and 
payment purposes. A commenter said the proposed part 2 changes have substantially weakened 
the privacy protections surrounding the sharing of a patient’s substance use treatment data. One 
commenter stated that before an individual’s health data can be accessed, there should be a 
specific, legitimate reason, and a careful review of the patient’s set of permissions. In addition to 
suggesting that mental health and substance abuse records be blocked from view by any 
providers or staff not directly involved in the care and treatment of a patient, a commenter 
asserted that a patient has the right to have substance abuse and/or mental health treatment 
records blocked from view by even their primary care provider or nurses. 

A couple of commenters asserted that it is both necessary and technologically possible to 
integrate substance use disorder and other health care information and effectively exchange 
substance use treatment data while maintaining the core protections of part 2, including consent 
requirements and the prohibition on re-disclosure. 

Emphasizing the importance of patient confidentiality and privacy, a few commenters 
asserted that sacrificing the dignity and well-being of a person seeking help for a substance use 
disorder in the name of convenience, administrative efficiency, and research is a poor way to 


achieve the well-being of either the person in need or the community. One of these commenters 
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recommended that SAMHSA delay the part 2 changes until the technology is available to protect 
persons with substance use disorder. 

Another commenter encouraged a cautious, step-wise approach to making substance use 
treatment records more integrated with general medical records. This commenter expressed 
concern that making treatment records more accessible to other providers would exacerbate the 
stigmatization of substance use disorder, particularly among pregnant women, which could lead 
to these individuals not seeking treatment for their substance use disorder or prenatal care. 


SAMHSA Response: 





SAMHSA reiterates its intent to ensure that patients with substance use disorders have 
the ability to participate in, and benefit from new and emerging health care models which 
promote integrated care and patient safety while respecting the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder due to the potential for discrimination, 
harm to their reputations and relationships, and serious civil and criminal consequences. This 
approach is consistent with the intent of the governing statute (42 U.S.C. 290dd-2) and 
regulations at 42 CFR part 2, which is to protect the confidentiality of substance use disorder 
patient records. 

In response to the commenters who cautioned SAMHSA to remain diligent in the 
oversight of these regulations, SAMHSA has the statutory authority to promulgate 42 CFR part 
2, but the Department of Justice retains the authority for enforcing 42 CFR part 2. Reports of 
violation of these regulations may be directed to the United States Attorney for the judicial 
district in which the violation occurs. The report of any violations of these regulations by an 
opioid treatment program may be directed to United States Attorney for the judicial district in 


which the violation occurs as well as the SAMHSA office for opioid treatment program 
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oversight. SAMHSA has oversight of opioid treatment programs through 42 CFR part 8. Related 
to oversight and compliance education, SAMHSA expects to issue FAQs as it has done in the 
past and develop other subregulatory guidance such as education and outreach materials. 

SAMHSA has added more flexibility to some of the consent provisions but still retained 
core part 2 protections, including prohibition on re-disclosure as well as consent options that 
would continue to give patients significant control. For example, the “To Whom” section of the 
consent form includes an option permitting a general designation under certain circumstances. 
However, SAMHSA retained the option of listing the name(s) of the individual(s) to whom a 
disclosure is made. In addition, any disclosure made under these regulations must comply with 
the “Amount and Kind” of information to be disclosed and the purpose of the disclosure, as 
provided on a part 2-compliant consent form. Furthermore, § 2.13(a) limits the information to be 
disclosed to that information which is necessary to carry out the purpose of the disclosure. 
Moreover, a patient has the option to withhold consent to disclosure of any of their substance use 
disorder information. 

SAMHSA is aware that technology adoption is an ongoing process and that many 
behavioral health providers have yet to adopt electronic health records as incentive payments 
have been unavailable for such purposes for these providers under the HITECH Meaningful Use 
Program. In addition, paper records are still used today in some part 2 programs and shared 
through facsimile (FAX). Therefore, in spite of advances in technology, some stakeholders are 
concerned that part 2, as currently written, continues to be a barrier to the integration of 
substance use disorder treatment and physical health care. Rather than waiting for the 
development and adoption of technology, SAMHSA decided to issue these final regulations to 


ensure that patients with substance use disorders have the ability to participate in, and benefit 
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from new and emerging health care models which promote integrated care and patient safety 
while respecting the legitimate privacy concerns of patients seeking treatment for a substance use 
disorder due to the potential for discrimination, harm to their reputations and relationships, and 
serious civil and criminal consequences. SAMHSA understands the importance of not 
compromising patient protection, and has, in § 2.13(d) of these final regulations, required an 
entity that serves as an intermediary (upon request) to provide a List of Disclosures made 
pursuant to the general designation option. Further, as discussed later in this preamble, the 
general designation option may not be used until there is technical capability to provide the 
required List of Disclosures. 


4. Part 2 Should Align with the Health Insurance Portability and Accountability 





Act 


Public Comments: 





Many commenters expressed that part 2 should be aligned with HIPAA. Some 
commenters specifically mentioned various areas for HIPAA alignment, including the consent 
form; Business Associate Agreement standards; treatment, payment, and health care operations; 
patient-requested restrictions on disclosure; de-identification standards, medical emergencies; 
research; the definition of “Patient identifying information;” HIPAA penalties contained in the 
HITECH Acct; and re-disclosure provisions. Many commenters asserted that aligning the 
regulations with HIPAA would help to strike an appropriate balance between protecting sensitive 
patient health information while providing coordinated, quality care. Many commenters urged 
SAMHSA to align part 2 with HIPAA to broaden the allowable sharing of data for purposes of 


care coordination and patient safety. 
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Numerous commenters urged that substance use disorder records and treatments should 
be held to the same level of privacy as all other health records. Other commenters raised the 
concern of equal access, stating that individuals with substance use disorder should have the 
same access to the benefits of increased care coordination as individuals without substance use 
disorder. 

Commenters encouraged the broader harmonization of part 2, HIPAA, and HITECH into 
a single uniform set of standards applicable for all personal health information, including 
substance use disorder treatment and payment. 

Some commenters asserted that HIPAA is sufficient to protect patient privacy and part 2 
is no longer necessary. Some commenters also asserted that part 2 also predates the development 
of EHR and HIEs, and there is pressing need to reconsider these rules in light of more recent 
technological and legal developments. Some commenters expressed concern that complying with 
both part 2 and HIPAA would lead to undue administrative burden and management issues 
across the continuum of patient care. 

A commenter recommended that SAMHSA should add the same release requirements for 
substance use disorder treatment as is required for psychotherapy notes under HIPAA, which are 
restricted from release without the client’s consent. According to the commenter, this would give 
substance use disorder patients protections with Business Associates Agreements (instead of 
additional rules and forms for Qualified Service Organization Agreements [QSOAs]), 
notification upon breach requirements, and other rights already afforded persons receiving 
medical and mental health care. 

Several commenters said part 2 should be as consistent as possible with HIPAA, except 


for the prohibition on use for investigation, prosecution, or criminal charges. 
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SAMHSA Response: 





SAMHSA noted the many comments from a wide range of commenters that requested 
that SAMHSA align part 2 provisions with HIPAA where possible. In some instances, SAMHSA 
has attempted to do so in this final rule to the extent the change was permissible under 42 U.S.C. 
290dd-2. At the same time, part 2 and its governing statute are separate and distinct from 
HIPAA and its implementing regulations. Because of its targeted population, part 2 provides 
more stringent federal protections than most other health privacy laws, including HIPAA. 

In response to comments about alignment of this regulation with HIPAA, SAMHSA has 
aligned the interpretation the definition of “Patient identifying information” with HIPAA to the 
extent feasible. In addition, SAMHSA revised Security for records (§ 2.16) to more closely align 
with HIPAA. 

B. Statutory Authority (§ 2.1) 

SAMHSA is adopting this section as proposed. SAMHSA has combined what was §§ 2.1 
(Statutory authority for confidentiality of drug abuse patient records) and 2.2 (Statutory authority 
for confidentiality of alcohol abuse patient records) and renamed the new § 2.1, Statutory 
authority for confidentiality of substance use disorder patient records. We have re-designated 
§§ 2.2 through 2.5 accordingly. In the new § 2.1, SAMHSA has deleted references to 42 U.S.C. 
290ee-3 and 42 U.S.C. 290dd-3. Sections 290dd-3 and 290ee-3 were omitted by Public Law 102- 
321 and combined and renamed into Section 290dd-2, Confidentiality of records. In addition, we 
have deleted references to laws and regulations that have been repealed in § 2.21. 


Public Comments: 





One commenter urged SAMHSA to assess whether existing statutory authority is 


adequate to modernize part 2 regulatory requirements to keep pace with existing laws and 
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industry developments while also protecting privacy, and to discuss necessary statutory changes 
in the final rule. Further, the commenter recommended that SAMHSA encourage Congress to 
convene public hearings to evaluate proposals for statutory changes and delay issuing a final rule 
if pending legislative proposals are enacted that change the legal landscape for substance use 
disorder information and related protections. 

A commenter urged SAMHSA to address the congressional action that may be needed to 
effectively expand the ability to provide coordinated services, such as including health and 
human services agencies’ field staff clearly into the definition of treatment terms. 

A few commenters suggested that the statutory authority underlying the part 2 regulations (42 
U.S.C. §290dd—2) should be revised. Another commenter asserted that the 1992 confidentiality 
statute should be reformed to afford patients greater protections against unlawful disclosure of 
their substance use disorder treatment, limit the use of information shared for non-health 
purposes, provide meaningful enforcement and penalties, and more effectively prevent 
discrimination. Another commenter recommended that modifications should be made to HIPAA 
to incorporate special protections and limitations for substance use information and that the part 
2 regulations should be rescinded. If the intent of the part 2 changes is to prevent inappropriate 
adverse consequences from the disclosure of substance use disorder health data, a commenter 
suggested that those specific adverse consequences should be targeted with legislation reform, 
rather than providing a blanket privacy allowance that hides medical information from providers. 


SAMHSA Response: 





SAMHSA does not have the authority to repeal or revise the governing statute for the 
regulations codified at 42 CFR part 2 nor any other statute, as that power is given to Congress. 


The part 2 authorizing statute, 42 U.S.C. 290dd-2, gives the Secretary broad authority to carry 
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out the confidentiality provisions therein, but to promulgate requirements to: (1) carry out the 
purposes of the legislation; (2) prevent its circumvention or evasion; and (3) facilitate its 
compliance. These part 2 revisions were drafted to further these three purposes while, to the 
extent allowable under the legislation, permitting disclosure and use to increase access to 
treatment and improve treatment services. The intent of the part 2 regulations and its governing 
statute (42 U.S.C. 290dd-2) is to protect the confidentiality of substance use disorder patient 
records. Because individuals seeking treatment for substance use disorders may experience a 
host of negative consequences, including discrimination, harm to their reputations and 
relationships, and possibly serious civil and criminal consequences should information regarding 
their treatment be improperly disclosed, there is a specific need for strong privacy protections for 
substance use disorder records. 

C. Reports of Violations (§ 2.4) 

SAMHSA is adopting this section as proposed. We have revised the requirement of 
reporting violations of these regulations by a methadone program to the FDA (§ 2.5(b)). The 
authority over methadone programs (now referred to as opioid treatment programs) was 
transferred from the FDA to SAMHSA in 2001 (66 FR 4076). Suspected violations of 42 CFR 
part 2 by opioid treatment programs may be reported to the U.S. Attorney's Office for the 
judicial district in which the violation occurred, as well as the SAMHSA office responsible for 
opioid treatment program oversight. 


Public Comments: 





SAMHSA received no public comments on this section. This section of the final rule is 
adopted as proposed. 


D. Definitions (§ 2.11) 
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SAMHSA has consolidated all of the definitions in 42 CFR part 2, with the exception the 
definition of the term “Federally assisted,” into a single section at § 2.11. SAMHSA has retained 
the definition of the term “Federally assisted” in § 2.12 (Applicability) for the purpose of clarity 
because it is key to understanding the applicability of the part 2 regulations. SAMHSA is 
adopting these structural changes as proposed in the NPRM. Specific definitions are discussed in 
the sections below. If a part 2 definition is not addressed below, it is because SAMHSA did not 
propose or make substantive changes to that definition. However, as discussed below, SAMHSA 
updated the terms in those definitions, as appropriate (e.g., to replace “program” with “part 2 
program,” and when “alcohol abuse” and “drug abuse” were used collectively to replace it with 
“substance use disorder’). The definitions in the regulatory text of this final rule reflect these 
changes. 


1. New Definitions 





a. Part 2 Program 





SAMHSA is adopting this definition as proposed. SAMHSA defines a “Part 2 program” 
as “a federally assisted program (federally assisted as defined in § 2.12(b) and program as 
defined in § 2.11). See § 2.12(e)(1) for examples.” We have retained the examples provided in 
§ 2.12(e)(1) of the current (1987) regulations, with minor clarifications in § 2.12(e)(1), because 
they explain the part 2 applicability and coverage. SAMHSA has replaced the term “program” 
with “part 2 program,” where appropriate. For example, we have revised the definition of QSO, 
including replacing “program” with “part 2 program,” which is discussed in depth below (see 
Section V.D.2.1., Existing Definitions). We also replaced “program” with “part 2 program” in 


several other definitions, while making no additional changes. 
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While a couple of commenters purported to address the proposed definition of “Part 2 
program,” the nature of their comments made clear that their underlying concern was how 
SAMHSA defined “Program” for purposes of part 2. For this reason, these comments are 
addressed in the discussion of the definition of “Program” below (see Section V.D.2.h). 


b. Part 2 Program Director 





SAMHSA is adopting this definition as proposed, except for a non-substantive technical edit. 
Because of the addition of the “Part 2 program” definition, we have defined a “Part 2 program 
director” as: 

e Inthe case of a part 2 program that is an individual, that individual; and 

e Inthe case of a part 2 program that is an entity, the individual designated as director or 

managing director, or individual otherwise vested with authority to act as chief executive 
officer of the part 2 program. 

We have deleted the definition of “Program Director.” 


Public Comments: 





SAMHSA received no public comments on this definition. This section of the final rule 
is adopted as proposed. 


c. Substance Use Disorder 





SAMHSA is adopting this definition as proposed, except to remove the final sentence, 
“Also referred to as substance abuse.” Throughout this rule, SAMHSA made revisions to refer to 
alcohol abuse and drug abuse collectively as “substance use disorder’ but, when referring to the 
part 2 governing statute, we use “substance abuse” since that is the term used in 42 U.S.C. 
290dd-2. SAMHSA also uses the term “substance abuse” when discussing public comments and 


other publications that use that term. For consistency, SAMHSA also revised the title of 42 CFR 
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part 2 from “Confidentiality of Alcohol and Drug Abuse Patient Records” to “Confidentiality of 
Substance Use Disorder Patient Records.” SAMHSA has replaced “alcohol or drug abuse” with 
“substance use disorder” in several definitions. 

While SAMHSA has deleted the definitions of “Alcohol abuse” and “Drug abuse,” we 
continued to use the terms “alcohol abuse” and “drug abuse” when referring to 42 U.S.C. 290dd- 
3 and 42 U.S.C. 290ee-3 (omitted by Pub. L. 102-321 and combined and renamed into Section 
290dd-2), respectively, because they are the terms used in the statutes. 

SAMHSA is defining the term “Substance use disorder” in such a manner as to cover 
substance use disorders that can be associated with altered mental status that has the potential to 
lead to risky and/or socially prohibited behaviors, including, but not limited to, substances such 
as, alcohol, cannabis, hallucinogens, inhalants, opioids, sedatives, hypnotics, anxiolytics, and 
stimulants. In addition, the “Substance use disorder” definition clarifies that, for the purposes of 
these regulations, the term excludes both tobacco and caffeine. 


Public Comments: 





Several commenters expressed support for the newly defined term “substance use 
disorder” to replace references to alcohol and drug abuse. One commenter requested that 
SAMHSA clarify the scope of substance use disorder and what constitutes substance use 
treatment. Another commenter suggested that, in the definition of substance use disorder, 
protected data should be directly related to an objective measure, such as information related to 
specific payment or clinical diagnosis codes submitted in connection with reimbursement for 


services. 





SAMHSA Response: 


4] 


The final rule adopts the definition of substance use disorder as proposed, except that the 
parenthetical of the proposed definition is not adopted in the final rule. Use of the term is 
consistent with recognized classification manuals, current diagnostic lexicon, and commonly 
used descriptive terminology. Moreover, SAMHSA declines to define substance use disorder 
treatment by specific billing or diagnostic codes in in the final rule as these codes are subject to 


frequent revision. 





d. Treating Provider Relationship 
SAMHSA is modifying the proposed definition of “Treating provider relationship” 
slightly to account for the situation of involuntary commitment and other situations where a 
patient is diagnosed, evaluated and/or treated, but may not have actually consented to such care, 
as discussed in greater detail below. In summary, a treating provider relationship means that, 
regardless of whether there has been an actual in-person encounter: 

e A patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or treated, or 

agrees to accept consultation, for any condition by an individual or entity, and; 

e The individual or entity undertakes or agrees to undertake diagnosis, evaluation, and/or 

treatment of the patient, or consultation with the patient, for any condition. 

As explained in the NPRM, the term “agrees” as used in the definition does not necessarily 
imply a formal written agreement. An agreement might be evidenced, among other things, by 
making an appointment or by a telephone consultation. 

It is also important to note that, based on the definition of treating provider relationship, 
SAMHSA considers an entity to have a treating provider relationship with a patient if the entity 
employs or privileges one or more individuals who have a treating provider relationship with the 


patient. 
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Public Comments: 





A few commenters expressed support for the proposed definition of “treating provider 
relationship.” One commenter supported the definition and added that this type of relationship 
could be a result of any action taken to schedule, refer, or order services that are related to health 
services to be provided in the future. 

Other commenters provided suggestions to improve the definition, including specifying 
entities involved in identifying, evaluating, and referring for treatment any persons in need of 
substance use disorder services; adding related services, including social services, and 
consultation; accounting for patients who cannot agree or consent to the relationship; and 
clarifying that an individual’s designated treating provider is also a treating provider for part 2 
purposes, even before the patient’s first appointment. A few commenters requested that HIEs, 
health plans, and organizations that provide care coordination be added to the definition, or that 
comparable definitions be provided for these entities. 

A few commenters objected to the consent requirements limiting recipients to entities 
with a “treating provider relationship,” and suggested that the requirement be eliminated, or the 
term be redefined to include entities that provide care management. A few commenters also 
disagreed with the interpretation that equates making an appointment with an agreement to 
diagnose or treat. 

Some commenters raised a number of questions about the definition, including whether 
the definition applies to each hospital in a system or to the system as a whole; whether the 
definition applies to Medicaid managed care programs with mandatory enrollment; whether a 


care coordination entity can form a treating provider relationship with an individual; and whether 
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ancillary providers, such as laboratories, pharmacies, therapists, counselors, or mental health 
specialists, fall within the definition of treating provider relationship. 


SAMHSA Response: 





A treating provider relationship, as defined in this final rule, begins when an individual 
seeks or receives health-related assistance from an individual or entity who may provide 
assistance. However, the relationship is clearly established when the individual or entity agrees 
to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the 
patient, and the patient agrees to be treated, whether or not there has been an actual in-person 
encounter between the individual or entity and the patient. When a patient is not regarded as 
being legally competent under the laws of their jurisdiction, such as when a patient is subject to 
an involuntary commitment (1.e., formally committed for behavioral health treatment by a court, 
board, commission, or other legal authority), a treating provider relationship may be established 
when a patient is, agrees to, or is legally required to be provided consultation, diagnosis, 
evaluation, and/or treatment by an individual or entity. A treating provider relationship may be 
established whether or not there has been an actual in-person encounter between the individual or 
entity and patient. A treating provider relationship with a patient may be established by any 
member of the health care team as long as the relationship meets the definition of “Treating 
provider relationship.” SAMHSA believes that further specification in this definition is 
unnecessary. 


e. Withdrawal Management 





SAMHSA is adopting this definition as proposed. SAMHSA has removed the definition 


of “Detoxification treatment” and replaced it with the definition of the currently acceptable term 
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“Withdrawal management” as indicated in the American Society of Addiction Medicine 
(ASAM) Principles of Addiction Medicine, 5" edition. 


Public Comments: 





One commenter supported replacing the term “Detoxification treatment” with the term 
“Withdrawal management.” 


SAMHSA Response: 





SAMHSA appreciates this support. 


2. Existing Definitions 





a. Central Registry 





SAMHSA is adopting this definition as proposed. SAMHSA has updated the definition 
of “Central registry” to incorporate currently accepted terminology. 


Public Comments: 





One commenter stated that the NPRM preamble described the proposed revisions to the 
definition of “central registry” as changes to “update terminology to make the definition clearer,” 
rather than detailing the proposed changes to the definition, so there was insufficient information 
for public comment. 


SAMHSA Response: 





Exact language for the definition of “central registry” was provided in the NPRM 
regulation text and is being adopted as proposed. 


b. Disclose or Disclosure 





' ASAM Principles of Addiction Medicine, 5th edition, 2014, Richard Ries et al., editor. 
http://www.asam.org/quality-practice/essential-textbooks/principles-of-addiction-medicine (last accessed Aug. 1, 
2016). 
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SAMHSA is modifying the proposed definition of “Disclose” to specifically cover 
diagnosis, treatment, and referral for treatment for substance use disorder, as follows: “Disclose 
means to communicate any information identifying a patient as being or having been diagnosed 
with a substance use disorder, having or having had a substance use disorder, or being or having 
been referred for treatment of a substance use disorder either directly, by reference to publicly 
available information, or through verification of such identification by another person.” We have 
updated terminology and made the definition clearer. SAMHSA has defined only one word, 
“Disclose,” since it is implied that the same definition applies to other forms of the word. 


Public Comments: 





A commenter encouraged SAMHSA to develop guidance and promote standards 
adoption for the identification of part 2 data so that the implementation and applicability of 
concrete restrictions and obligations can be applied to the disclosure of such data. Another 
commenter urged coordination between the definitions of “disclosure” of a substance use 
disorder and a current or former “patient,” because someone may have a past substance use 
disorder but may not have been a former patient. A commenter stated that the NPRM preamble 
described the proposed revisions to the definition of “disclosure” as changes to “update 
terminology and make the definition clearer,” rather than detailing the proposed changes to the 
definition, so there was insufficient information for public comment. 


SAMHSA Response: 





With regard to developing subregulatory guidance and promoting standards adoption, 
SAMHSA is an organizational member of Health Level 7 (HL7) and is working to ensure that 
health IT standards support the needs of behavioral health treatment patients and providers. 


SAMHSA has supported the creation of several HL7 standards, including the Composite Privacy 


46 


Consent Directive Domain Analysis Model to capture the requirement of states and federal 
agencies. Those requirements were reflected in the IG for Clinical Document Architecture 
Release 2 (CDA R2) to provide a standard-based electronic representation of a consent to 
support the management of consent directives and policies. 

In response to comments urging coordination between the definition of “disclosure” and a 
current or former patient, SAMHSA has expanded the definition of “disclose” to include any 
information identifying a patient as “being or having been diagnosed with a substance use 
disorder, having or having had a substance use disorder, or being or having been referred for 
treatment of a substance use disorder.” Exact language for the definition of “disclosure” was 
provided in the NPRM regulatory text and is being adopted as proposed. We note that to the 
extent an individual may have had a past substance use disorder diagnosis, but never sought or 
received diagnosis, treatment, or referral for substance use disorder treatment, the definition of 
patient would not cover such individual and the part 2 regulations would not apply to that 
individual’s health information unless and until the individual is a patient as defined in these 
regulations. 


c. Maintenance Treatment 





SAMHSA is modifying this definition from what was proposed by replacing the term 
“pharmacotherapy” with the phrase “long-term pharmacotherapy” for purposes of clarity to read 


as follows: “Maintenance treatment means long-term pharmacotherapy for individuals with 





substance use disorders that reduces the pathological pursuit of reward and/or relief and supports 
remission of substance use disorder-related symptoms.” As compared to the 1987 final rule 
definition of “Maintenance treatment,’ SAMHSA updated terminology in the definition and 


moved it from § 2.34 to § 2.11. 
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Public Comments: 





A commenter stated that the NPRM preamble described the proposed revisions to the 
definition of “maintenance treatment” as changes to “update terminology and make the definition 
clearer,” rather than detailing the proposed changes to the definition, so there was insufficient 
information for public comment. 


SAMHSA Response: 





Exact language for the proposed definition of “maintenance treatment” was provided in 
the NPRM regulation text at 81 FR 7014. 


d. Member Program 





In response to comments received, SAMHSA has revised the definition of “Member 
program,” by replacing a reference to a specific geographic distance, so it reads as follows: 


“Member program means a withdrawal management or maintenance treatment program which 





reports patient identifying information to a central registry and which is in the same state as that 
central registry or is in a state that participates in data sharing with the central registry of the 
program in question.” 


Public Comments: 





A commenter asserted that the 125-mile distance to a state border limitation contained 
within the definition of “member program” does not adequately recognize the geographic 
realities of states with significant rural and frontier areas, and the commenter strongly suggested 
that it be eliminated. 


SAMHSA Response: 





In response to the comment, SAMHSA has removed the distance from the definition to 


address the concerns about rural areas and replaced it with “is in a state that participates in data 
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sharing with the central registry of the program in question.” We removed the distance 
requirement from the definition of “Member program” to reflect that in some states (e.g., with 
rural areas) the distance from the border of the state in which the central registry is located may 
exceed 125 miles. 
e. Patient 

SAMHSA is adopting this definition as proposed. To emphasize that the term “Patient” 
refers to both current and former patients, SAMHSA has revised the definition as follows: 
“Patient means any individual who has applied for or been given diagnosis, treatment, or referral 
for treatment for a substance use disorder at a part 2 program. Patient includes any individual 
who, after arrest on a criminal charge, is identified as an individual with a substance use disorder 
in order to determine that individual's eligibility to participate in a part 2 program. This 
definition includes both current and former patients.” 


Public Comments: 





One comment opposed the inclusion of former patients in the definition because 
retrospective outcome studies would be difficult to conduct because many patients relocate or 
their contact information becomes otherwise unobtainable for purposes of obtaining consent to 
disclose and use patient identifying information. One commenter opposed including in the 
definition individuals who “applied for” but did not receive a diagnosis and also asked who 
makes the identification of an individual with a substance use disorder. Another commenter 
suggested that the definition should include individuals participating in prevention programs and 
recovery support programs. A commenter asked whether the definition includes an individual 
who has been involuntarily committed to a program for treatment and suggested that the final 


rule clarify that such an individual is considered a patient and entitled to part 2’s protections. 
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SAMHSA Response: 





Regarding the opposition to including former patients in the definition of “Patient” 
because retrospective outcome studies would be difficult to conduct, this concern appears to be 
based on a misunderstanding that a consent requires a specific expiration date. A part 2- 
compliant consent form must list the date, event, or condition upon which the consent will 
expire, if not revoked before. Therefore, it would be permissible for a consent form to specify the 
event or condition that will result in revocation, such as having its expiration date be “upon my 
death.” Consequently, it is possible for researchers to obtain consents that would permit 
retrospective outcome studies. 

Regarding the inclusion of “applied for” in the definition of “Patient,” this definition has 
not changed from that included in the 1987 final rule except to replace “alcohol and drug abuse” 
with “substance use disorder.”” SAMHSA declines to make the recommended change since no 
other concerns regarding the inclusion of “applied for” have been received in over 29 years. 
Patients who are involuntarily committed to participating in or receiving substance use disorder 
services from a part 2 program are covered by the definition. SAMHSA declines to accept the 
suggestion that the definition should be expanded to cover patients in prevention programs as 
such programs are not covered by the definition of a part 2 program. 


f. Patient Identifying Information 





SAMHSA is modifying the definition as proposed to: (1) clarify that SAMHSA intends 
for the identifiers listed in the HIPAA Privacy Rule at 45 CFR 164.514(b)(2)() that are not 
already included in the definition of patient identifying information to meet the “or similar 
information” standard; (2) delete the word “publicly” from the phrase “can be determined with 


reasonable accuracy either directly or by reference to other publicly available information”; and 
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(3) to revise the last sentence as follows: for internal use only by the part 2 program, if that 
number does not consist of, or contain numbers (such as a social security, or driver's license 
number) that could be used to identify a patient with reasonable accuracy from sources external 
to the part 2 program.” 

SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule at 45 CFR 
164.514(b)(2)() that are not already included in the definition of “Patient identifying 
information” to meet the following clause: “or similar information.” Those HIPAA Privacy Rule 
identifiers are: 

(1) Name; 

(2) All geographic subdivisions smaller than a [s]tate, including street address, city, 
county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a 
zip code if, according to the current publicly available data from the Bureau of the Census: 

(i) The geographic unit formed by combining all zip codes with the same three initial 
digits contains more than 20,000 people; and 

(ii) The initial three digits of a zip code for all such geographic units containing 20,000 or 
fewer people is changed to 000; 

(3) All elements of dates (except year) for dates directly related to an individual, 
including birth date, admission date, discharge date, date of death; and all ages over 89 and all 
elements of dates (including year) indicative of such age, except that such ages and elements 
may be aggregated into a single category of age 90 or older; 

(4) Telephone numbers; 

(5) Fax numbers; 


(6) Electronic mail addresses; 
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(7) Social security numbers; 

(8) Medical record numbers; 

(9) Health plan beneficiary numbers; 

(10) Account numbers; 

(11) Certificate/license numbers; 

(12) Vehicle identifiers and serial numbers, including license plate numbers; 
(13) Device identifiers and serial numbers; 

(14) Web Universal Resource Locators (URLs); 

(15) Internet Protocol (IP) address numbers; 

(16) Biometric identifiers, including finger and voice prints; 

(17) Full face photographic images and any comparable image; or 
(18) Any other unique identifying number, characteristic, or code. 


Public Comments: 





A few commenters urged that the definition of “Patient identifying information” be 
aligned with the “protected health information,” including the patient identifiers, under HIPAA. 
One commenter recommended that telephone numbers and email addresses should be mentioned 
because they are accessible by electronic means. Another commenter suggested that SAMHSA 
delete the reference to publicly available information; use a phrase such as, “information with 
respect to which there is a reasonable basis to believe that the information can be used to identify 
the individual”; and mention other identifiers assigned to an individual, including credit card 
numbers, driver’s license numbers, and automobile license numbers. 


SAMHSA Response: 
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The HIPAA Privacy Rule, at 45 CFR 164.514(b)(2)(i), enumerates 18 identifiers that 
make health information individually identifiable. SAMHSA considers any of these identifiers to 
be patient identifying information either because SAMHSA has explicitly listed the identifier in 
the definition of patient identifying information in 42 CFR part 2 or because SAMHSA considers 
the identifier to be ‘similar information’ (See § 2.11 Definitions). Also as suggested, SAMHSA 
has deleted the word “publicly” from the phrase “can be determined with reasonable accuracy 
either directly or by reference to other publicly available information;” 

g. Person 

SAMHSA is adopting this definition as proposed. SAMHSA has revised the definition of 

“Person” to clearly indicate that “Person” is also referred to as individual or entity. 


Public Comments: 





A commenter urged SAMHSA to recognize an “Affiliated Covered Entity” under HIPAA 
as an “entity” in the definition of “Person.” Another commenter asked that the definition specify 
that it includes limited liability companies. A commenter suggested removing the redundant 
parenthetical at the end of the proposed definition. 


SAMHSA Response: 





SAMHSA has determined that no change is needed in response to the comments; the 
definition covers any legal entity. SAMHSA declines to delete the clarifying parenthetical at the 
end of the definition since the terms “individual” and “entity” are more intuitive than the term 
“person,” as defined in these regulations. 

h. Program 
SAMHSA decided not to finalize its proposed changes to the definition of “Program,” 


but did make minor updates to the terminology in the text. We are, however, finalizing certain 
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other minor changes to the proposed definition to update terminology so that it is consistent with 
current best practice. 

First, SAMHSA moved the reference to examples from the definition of “Program” to the 
definition of “Part 2 program.” 

Second, we retain the language changes from drug and/or alcohol abuse to substance use 
disorder. 

Finally, as stated in the NPRM, SAMHSA clarifies that paragraph (1) of the definition of 
“Program” would not apply to “general medical facilities”. However, paragraphs (2) and (3) of 
the definition of “Program” would apply to “general medical facilities.” 


Public Comments: 





A few commenters expressed support for the revised definition of “Program.” 

However, many commenters generally opposed the proposed revision to the definition of 
“Program.” The reasons primarily related to interpretations that SAMHSA did not intend to 
imply. Many commenters asked that SAMHSA not call out general medical practices as a 
separate category of provider excluded from paragraph one but included in paragraphs two and 
three of the definition of program. 

Some commenters requested clarification in various areas, including the meaning and 
examples of “holds itself out;” determining “primary function;” treatment of behavioral health 
clinics and community mental health centers; roles of general medical or dental practices that 
engage in screening, brief intervention, and referrals for treatment (SBIRT) activities, and co- 
located substance abuse/mental health counselors; whether covered part 2 facilities provide 
some, primarily provide, or only provide substance use disorder diagnosis, treatment, and referral 


to treatment; physicians who prescribe buprenorphine products and pharmacies that fill those 
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prescriptions; a general psychiatric unit that also provides substance use disorder treatment; and 
offering patients integrated behavioral health care in a primary care setting. 

Some commenters suggested limiting programs to those that meet a minimum standard, 
are specifically licensed, credentialed, or accredited, such as state licensure. Several commenters 
asked that SAMHSA provide an exception for pharmacists and pharmacies or dentists. Lastly, a 
commenter said the rule should include rehabilitation centers as medical facilities. 


SAMHSA Response: 





Based on the number and type of comments received regarding including general medical 
practices in the Program definition, SAMHSA has decided not to finalize the general medical 
practices language in the final rule. The number and type of comments led SAMHSA to believe 
separating out general medical practices from general medical facilities was more confusing than 
clarifying. Most commenters indicated a belief that SAMHSA was expanding the definition of 
program to include individuals and entities that had not previously been covered. As we’ve 
previously noted in our publicly available FAQ guidance, a practice comprised of primary care 
providers could be considered a “general medical facility and be subject to 42 CFR part 2 if they 
are both "federally assisted” and meet the definition of a program under 42 CFR 2.11. 
Nevertheless, consistent with the definition of a “program”: 

1. Ifa provider is not a general medical care facility, then the provider meets the part 2 
definition of a “Program” if it is an individual or entity who holds itself out as providing, 
and provides substance use disorder diagnosis, treatment, or referral for treatment. 


2. Ifthe provider is an identified unit within a general medical facility, it is a “Program” if it 





holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or 


referral for treatment. 
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3. If the provider consists of medical personnel or other staff in a general medical facility, it 
is a “Program” if its primary function is the provision of substance use disorder 
diagnosis, treatment, or referral for treatment and is identified as such specialized medical 
personnel or other staff by the general medical facility. 

SAMHSA’s FAQ guidance further addresses the issue of what constitutes a general 
medical facility. This FAQ guidance clarifies that, while the term “general medical care facility” 
is not defined in the definitions section of 42 CFR 2.11, hospitals, trauma centers, or federally 
qualified health centers would generally be considered “general medical care” facilities. 
Therefore, primary care providers who work in such facilities would only meet part 2’s 
definition of a program if 1) they work in an identified unit within such general medical facility 
that holds itself out as providing, and provides, substance use disorder diagnosis, treatment or 
referral for treatment, or 2) the primary function of the provider is substance use disorder 
diagnosis, treatment or referral for treatment and they are identified as providers of such services. 
In addition, a practice comprised of primary care providers could be considered a “general 
medical facility.” As such, only an identified unit within that general medical care facility which 
holds itself out as providing and provides substance use disorder diagnosis, treatment or referral 
for treatment would be considered a “program” under the definition in the part 2 regulations. 
Medical personnel or staff within that facility whose primary function is the provision of those 
services and who are identified as such providers would also qualify as a “program” under the 
definition in the part 2 regulations. Other units or practitioners within that general medical care 
facility would not meet the definition of a part 2 program unless such units or practitioners also 
hold themselves out as providing and provide substance use disorder diagnosis, treatment or 


referral for treatment. 
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SAMHSA also clarifies that the program definition does not categorically exclude 
buprenorphine providers. However, holding a waiver to prescribe buprenorphine or holding a 
waiver and prescribing buprenorphine as part of primary care practice also does not lead to 
categorical inclusion of providers in the definition of a part 2 program; such determinations are 
fact-specific. Also, a health care provider that does not otherwise meet the definition of a part 2 
program would not become a program simply because they provided screening, brief 
intervention, and/or referral to treatment within the context of general health care. SBIRT is 
discussed in further detail under Section V.E (Applicability) below. 

Regarding comments on the meaning of “primary function,’ SAMHSA did not propose a 
definition of “primary function” because it has not historically received many, if any, questions 
on its meaning. 

Consistent with previously published FAQ guidance, we reiterate that “Holds itself out” 
means any activity that would lead one to reasonably conclude that the individual or entity 
provides substance use disorder diagnosis, treatment, or referral for treatment, including but not 
limited to: 

e Authorization by the state or federal government (e.g. licensed, certified, registered) to 
provide, and provides, such services, 
e Advertisements, notices, or statements relative to such services, or 


e Consultation activities relative to such services. 


i. Qualified Service Organization 





SAMHSA is adopting the definition of “Qualified Service Organization” as proposed. 


SAMHSA has revised the definition of QSO to include population health management in the list 
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of examples of services a QSO may provide. SAMHSA also revised the term “medical services” 
as listed in the examples of permissible services offered by a QSO to clarify that it is limited to 
“medical staffing services.” SAMHSA made this revision to emphasize that QSOAs should not 
be used to avoid obtaining patient consent. 


Public Comments: 





A large number of commenters supported the proposed QSO definition, particularly the 
addition of “population health management.” Many commenters requested a clarification or a 
narrow definition of “population health management.” 


SAMHSA Response: 





SAMHSA provided guidance in the NPRM preamble regarding what constitutes 
population health management services. Specifically, population health management refers to 
increasing desired health outcomes and conditions through monitoring and identifying individual 
patients within a group. To achieve the best outcomes, providers must supply proactive, 
preventive, and chronic care to all of their patients, both during and between encounters with the 
health care system. For patients with substance use disorders, who often have comorbid 
conditions, proactive, preventive, and chronic care is important to achieving desired outcomes. 
Any QSOA executed between a part 2 program and an organization providing population health 
management services would be limited to the office(s) or unit(s) responsible for population 
health management in the organization (e.g., the ACO, CCO, CPCMH, or managed care 
organization [MCO)]), not the entire organization and not its participants (e.g., case managers, 
physicians, addiction counselors, hospitals, and clinics). However, the presence of a QSOA does 
not preclude disclosures of patient identifying information to other individuals within these 


organizations based on a valid part 2-compliant consent. 
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Public Comments: 





Some commenters requested clarification about the definition, such as whether an HIE 
could be considered a QSO; whether the definition, which includes “an individual,” can include 
members of the covered entity’s workforce; and whether public health management staff can 
share part 2 information with case managers. 

A few commenters expressed opposition to the proposed definition of QSO, asserting that 
patient consent should be obtained before making a disclosure of substance use disorder 
information to multiple entities. Another commenter warned that under the definition, it would 
be difficult to track which part 2 patients may or may not be within a population health program 
at any given time. 


SAMHSA Response: 





The NPRM as well as the current (1987) definition of QSO uses the term person. Person 


is defined in the current (1987) regulations as: “Person means an individual, partnership, 





corporation, federal, state or local government agency, or any other legal entity.”” The NPRM 
definition proposed a parenthetical: “(also referred to as individual or entity).”» Because both the 
1987 regulations and the NPRM definition of person includes both individuals and entities, the 
definition of the term QSO has always included both individual and entities, the definition of the 
term QSO has always included individuals, as well as entities. 

Whether the QSO definition applies to members of an entity’s workforce and case 
managers depends on whether they meet the definition of QSO as defined in § 2.11 because such 
determinations are fact-specific. An individual or entity who does not meet the definition of a 
QSO may, however, meet the definition of “Treating provider relationship” for the purposes of 


obtaining consent. Likewise, care coordination was not added to the list of examples of 
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permissible services offered by a QSO because care coordination has a patient treatment 
component. 

Under the part 2 governing statute, patient records pertaining to the patient’s substance 
use disorder may be shared only with the prior written consent of the patient or as permitted 
under the part 2 statute, regulations, or guidance. However, the regulations may contain such 
definitions, and may provide for such safeguards and procedures, including procedures and 
criteria for the issuance and scope of orders, as in the judgment of the Secretary are necessary or 
proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or 
to facilitate compliance therewith. 

Regarding the concern about disclosing to multiple entities under a QSOA, as noted 
above, any QSOA executed between a part 2 program and an organization providing population 
health management services would be limited to the office(s) or unit(s)/entity(ies) responsible for 
population health management for the organization (e.g., the ACO, CCO, CPCMH, or MCO), 
not the entire organization and not its participants (e.g., case managers, physicians, addiction 
counselors, hospitals, and clinics). 


Public Comments: 





Commenters provided various suggestions to improve the definition. Several commenters 
said the definition should be expanded to permit a multi-party agreement for multi-directional 
sharing of information. Commenters said the description of the provision should address 
overlapping requirements of HIPAA and part 2 with respect to contractual agreements and 
services such as data processing and billing. A commenter said facilitating entities should be able 
to enter into QSO agreements with participating providers to perform quality improvement 


activities. Another commenter said the QSO exception to restrictions on disclosure should apply 
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to third-party payers and other holders of part 2 information, and the definition should include 
other functions to support improved care delivery. 


SAMHSA Response: 





Part 2 and its implementing statute are much more restrictive than HIPAA. Because 42 
CFR part 2 and its governing statute are separate and distinct from HIPAA, the part 2 regulations 
use different terminology than used in HIPAA. However, SAMHSA aligned policy with HIPAA 
where possible. 

Because a QSOA is a two-way agreement between a part 2 program and the entity 
providing the part 2 program and an individual or entity providing a service to a part 2 program, 
agreements between more than those two parties (e.g. multi-party agreements) are prohibited .. 
A QSOA cannot be used to avoid obtaining patient consent in the treatment context. 

As stated previously in this preamble, SAMHSA is issuing an SNPRM to seek further 
comments and information on the disclosure to and use of part 2 information by the contractors 
and subcontractors of third-party payers and other lawful holders for purposes of payment, health 
care operations, and other health care related activities before establishing any appropriate 
restrictions on disclosures to them. 


Public Comments: 





Commenters generally expressed opposition to the change of “medical services” to 
“medical staffing services” in the definition. A commenter expressed opposition to the 
interpretation that the QSO agreement executed between a part 2 program and an organization 
that provided population health management services would be limited to a specific office(s) or 
unit(s) within the organization that is/are tasked with carrying out such services. 


SAMHSA Response: 
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SAMHSA has revised the term “medical services” as listed in the examples of 
permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” 
SAMHSA proposed to make this revision to emphasize that QSOAs should not be used to avoid 
obtaining patient consent. Accordingly, a QSOA could be used by a part 2 program to contract 
with a provider of on-call coverage services (previously clarified in FAQ guidance) or other 
medical staffing services but could not be used to disclose John Doe’s patient identifying 
information to his primary care doctor for the purpose of treatment (other than that provided 
under a QSOA for medical staffing services). However, an individual or entity who is prohibited 
from providing treatment to an individual patient under a QSOA may still meet the requirements 
of having a treating provider relationship (as that term is defined in § 2.11) with respect to the 
consent requirements in § 2.31. 

With respect to the comment regarding an organization providing population health 
management services, a QSOA is a two-way agreement between a part 2 program and the entity 
providing the service. We reiterate that disclosures by a QSO pursuant to a QSOA executed 
between a part 2 program and an organization that provides population health management 
services would be limited to a specific office(s) or unit(s)/entity(ies) that is/are tasked with 
carrying out such services for the organization. SAMHSA believes this is a needed safeguard to 
limit disclosures to that which is reasonably necessary to carry out services under the QSOA. 


Public Comments: 





Many commenters expressed opposition to the exclusion of “care coordination” from the 
QSO definition or requested clarification for the meaning of “care coordination.” Some 
commenters specifically requested adding care coordination to the list of services a QSO may 


provide, reasoning that it would facilitate integrated substance use disorder, health, and mental 
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health services. The commenters asserted that the addition would benefit patients’ health, safety, 
and quality of life while maintaining confidentiality protections. 


SAMHSA Response: 





In the NPRM, SAMHSA clarified that an individual or entity is prohibited from 
providing treatment to an individual patient under a QSOA. SAMHSA has revised the term 
“medical services” as listed in the examples of permissible services offered by a QSO to clarify 
that it is limited to “medical staffing services.” SAMHSA proposed to make this revision to 
emphasize that QSOAs should not be used to avoid obtaining patient consent. Accordingly, a 
QSOA could be used by a part 2 program to contract with a provider of on-call coverage services 
(previously clarified in FAQ guidance) or other medical staffing services, but could not be used 
to disclose John Doe’s patient identifying information to his primary care doctor for the purpose 
of treatment (other than that provided under a QSOA for medical staffing services). For this 
reason, care coordination and medication management, both of which have a treatment 
component, were not added to the list of examples of permissible services offered by a QSO. 
However, an individual or entity who is prohibited from providing treatment to an individual 
patient under a QSOA may still meet the requirements of having a treating provider relationship 
(as that term is defined in § 2.11) with respect to the consent requirements in § 2.31. 

Regarding the request to clarify the meaning of “care coordination” and how it differs 
from “population health management,” because SAMHSA decided not to include care 
coordination in the examples of permissible services under the definition of a QSO, we did not 
define the term “‘care coordination” in the NPRM and, therefore, decline to do so in this final 
rule. Population health management refers to increasing desired health outcomes and conditions 


through monitoring and identifying patients within a group. 
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j. Records 


SAMHSA has revised the proposed definition. As suggested by commenters, SAMHSA 
has modified the definition of “Records” by adding “created by” and a parenthetical with 


examples to read as follows: “Records means any information, whether recorded or not, created 





by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and 
referral for treatment information, billing information, emails, voice mails, and texts). For the 
purpose of these regulations, records include both paper and electronic records.” SAMHSA 
revised the definition of “Records” to include any information, whether recorded or not, which 
includes verbal communications, created, received or acquired by a part 2 program relating to a 
patient. The revised definition makes clear that, for the purpose of the part 2 regulations, records 
include both paper and electronic records. 


Public Comments: 





A commenter remarked that the proposed definition of “records” does not address 
“identifiability,” asserting that information that is not individually identifiable, that is not 
reasonably capable of being re-identified, or that is aggregate may not need to be covered by the 
definition of record. Regarding the phrase “whether recorded or not” in the proposed definition, a 
couple of commenters requested guidance on what constitutes “unrecorded information.” 


SAMHSA Response: 





SAMHSA clarifies that unrecorded information includes verbal communications and is 
still considered part of the record. To add further clarity to the definition, SAMHSA has revised 
the definition of “Records” from the proposed language by adding examples (e.g., diagnosis, 
treatment and referral for treatment information, billing information, emails, voice mails, and 


texts). SAMHSA also added the phrase “created by” to clarify that “records” includes 
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information received, acquired, or created by a part 2 program relating to a patient. Regarding 
“identifiability,” identification is addressed in the term “Patient identifying information,” not in 
the definition of “Record.” The definition of records is just that and does not address 
information that may be disclosed. 
k. Treatment 
SAMHSA is adopting the proposed definition of “Treatment.” SAMHSA has deleted the 
term “management” from the “Treatment” definition. 


Public Comments: 





A few commenters opposed the proposed removal of the term “management” from the 
definition of “treatment” because the narrower definition would decrease information sharing 
and have a chilling effect on care coordination. A couple of commenters urged that “treatment” 
should be limited to care of the substance use disorder and not be extended to include care of 
other medical conditions secondary to or that arose because of the substance use disorder. One 
commenter suggested that “care” should be defined as it is used in the definition of “treatment.” 


SAMHSA Response: 





SAMHSA removed the term “management” from the definition of “Treatment” because 
in today’s health care environment, “management” has a much broader meaning than it did when 
the regulations were last revised. Treatment is not limited to care of the substance use disorder 
because patients with a substance use disorder often have comorbid conditions. 


3. Terminology Changes 





SAMHSA is adopting the changes proposed in this section, as described in the NPRM. In 
addition to changes to several definitions, SAMHSA is also implementing several terminology 


changes intended to ensure consistency in the use of terms throughout the regulations and to 


65 


increase the understandability of the rule. First, we made revisions to consistently refer to law 
enforcement as “law enforcement agencies or officials.” Secondly, SAMHSA revised the part 2 
regulations to use the term “entity” instead of “organization” wherever possible. Thirdly, 
SAMHSA clarifies that, for the purposes of this regulation, the term “written” includes both 
paper and electronic documentation. Fourthly, we use the phrase “part 2 program or other lawful 
holder of patient identifying information” to refer to a part 2 program or other individual or 
entity that is in lawful possession of patient identifying information. A “lawful holder” of patient 
identifying information is an individual or entity who has received such information as the result 
of a part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as a result of 
one of the exceptions to the consent requirements in the statute or implementing regulations and, 
therefore, is bound by 42 CFR part 2. 


Public Comments: 





One commenter requested clarification about what entities are considered “lawful 
holders” of patient identifying information in the context of complex health care systems. For 
example, would the parent company of a health care system, each specific hospital, or each entity 
affiliated with the health care system be considered a “lawful holder”? 

Another commenter urged that the term “other lawful holder” should be clearly defined 
in the final rule. 


SAMHSA Response: 





A “lawful holder” of patient identifying information is an individual or entity who has 
received such information as the result of a part 2-compliant patient consent (with a prohibition 
on re-disclosure notice) or as permitted under the part 2 statute, regulations, or guidance and, 


therefore, is bound by 42 CFR part 2. SAMHSA cannot determine what entities are “lawful 
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holders” because such determinations are fact-specific. In addition, SAMHSA determined that 
it was not feasible to define all lawful holders of information so has not included a definition in 
the rule. As explained in the NPRM, examples of “lawful holders” include a patient’s treating 
provider, a hospital emergency room, an insurance company, an individual or entity performing 
an audit or evaluation, or an individual or entity conducing scientific research. This list provided 
in the NPRM was intended only as an illustrative example of who could be a lawful holder. 


4. Other Comments on Definitions 





Public Comments: 





Many commenters expressed general support for the proposed clarification of definitions. 
Some commenters sought new definitions for terms including HIE; recipient; population health 
management and care coordination; population health; re-disclosure; law enforcement agency or 
official; repository; and scientific research. 

Several commenters addressed the “alternative approach” discussed in the NPRM for 
allowing disclosure to treating providers by requesting the addition of a definition for 
“organization” to § 2.11. Commenters generally supported a clear definition of “organization” to 
allow for the exchange of part 2 information. One commenter, however, opposed relying upon a 
definition rather than specifying the process for consent in the rule itself. 


SAMHSA Response: 





SAMHSA did not propose definitions for the terms suggested and has decided not to 
pursue the “alternative approach” since that approach as written received no support and only 2 
commenters supported the “alternative approach with suggested revisions.” Based on comments 
received, the agency has addressed disclosures to treating providers within this rule’s consent 


requirements. 
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E. Applicability (§ 2.12) 

SAMHSA is adopting this section as proposed. In addition to the revisions to the 
definition of “Program” and the addition of a definition for “Part 2 program” mentioned above, 
SAMHSA has revised § 2.12(d)(2)(i)(C) so that restrictions on disclosures also apply to 
individuals or entities who receive patient records from other lawful holders of patient 
identifying information (see § 2.11, Terminology Changes). Patient records subject to these 
regulations include patient records maintained by part 2 programs, as well as those records in the 
possession of “other lawful holders of patient identifying information.” SAMHSA may issue 
additional subregulatory guidance addressing the applicability section, as deemed necessary, 
after publication of the final rule. 


Public Comments: 





A few commenters supported the proposed applicability provisions. Some commenters 
cited relevant preamble language but remained uncertain about who qualifies as a part 2 
provider. Several commenters requested greater clarification in identifying part 2 coverage, 
including whether the provisions apply to various models of integrated behavioral health and 
primary care; mixed-use facilities that provide primary care and behavioral health services or 
mental health and substance use treatment; certified community behavioral health centers that do 
not necessarily “primarily” furnish substance abuse services but rather provide a comprehensive 
approach to care; embedded behavioral health information within an acute care record; a medical 
facility providing several distinct books of business, of which only one receives federal 
assistance; pharmacies; dentists; Drug Addiction Treatment Act (DATA 2000)-waived 
physicians; employee assistance programs that may include substance use assessment and 


counseling; a provider who bills Medicaid and Medicare but is not otherwise a “federally 
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assisted program;” and confidential information related to safety and incident reporting. A 
commenter requested clarification about the definition of “direct administrative control” in the 
proposed provision related to exceptions for communications within a part 2 program. A 
commenter urged consideration for reporting by programs to a public health registry and 
suggested advantages of such a requirement. 

Some commenters requested applicability exemptions. Some commenters requested 
exclusions for employee assistance programs; Medicaid overutilization control programs; and 
plans with integrated care delivery models. Some commenters requested exemptions to consent 
for communications between a QSO and a part 2 program or third-party payer (e.g., Medicaid) 
and between a part 2 program. One commenter requested clarification that consent and 
disclosure requirements would not apply when the patient directs electronic disclosure for a 
consumer health application. A commenter requested clarification that services are only covered 
under part 2 if the personnel are identified as providing substance use disorder treatment outside 
the organization to the general public. Commenters favored an exception for reporting of child 
abuse and elder abuse. A few commenters mentioned certain concerns related to the proposed 
rule. A commenter argued that the proposed rule would do little to simplify requirements for 
providers, and this may result in providers not documenting substance use disorder-related 
information in medical records. Other commenters opposed the lack of protections in the 
proposal and warned that the rule would impose constraints and burdens on providing a patient’s 
behavioral health data and impede information sharing. A commenter stated that general health 
care organizations that hire an employee with substance use disorder expertise would be 
considered a covered entity, so they may be discouraged from integrating substance use disorder 


services into their operation. Similarly, hospital emergency departments may be discouraged 


69 


from hiring staff with specialized experience in substance use disorders. One commenter 
expressed concern that the rule may extend protection not just to records for substance use 
disorder treatment, but also to medical conditions and medications that allow an inference that 
the patient has a substance use disorder. One commenter argued that any substance use record 
should be protected from unauthorized disclosure for criminal justice investigations. Expressing 
support for the continued protection of substance use disorder records from disclosure and use in 
criminal investigations except under certain conditions, a commenter said that while HIPAA and 
other laws also provide similar protections, part 2 has more stringent due process and court order 
provisions. 

One commenter argued that the proposed rule exceeds the underlying statutory 
requirements in 42 U.S.C. 290dd—2 by expanding protections of substance use information and 
establishing penalties. Another commenter mentioned that the HITECH revisions to HIPAA 
already require general medical facilities to utilize enhanced security measures to protect the 
confidentiality and privacy of patient’s health records. 

A few commenters advocated that the safeguards applied to protected health information 
(as defined under HIPAA) for all other health conditions could apply for substance use disorder- 
related information. 

One commenter urged a focus on the actual information that requires protection, as 
opposed to the origin of the treatment records. Similarly, another commenter expressed 
disappointment that SAMHSA rejected the option to redefine the applicability of part 2 based on 
the type of substance use disorder treatment services, rather than the type of provider. 

Several commenters suggested exceptions to the applicability of part 2 regulations. One 


commenter said SAMHSA should create a due diligence exception to allow a part 2 program’s 
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records to be reviewed in the event of a proposed sale of the part 2 facility. Another commenter 
said SAMHSA should include an exception to allow disclosure of part 2 records in connection 
with the seeking of a grant or much needed funding for substance abuse patients. A commenter 
said SAMHSA should create a payment exception that would allow part 2 programs to submit 
information to governmental or commercial payers without the patient’s prior authorization. 

Other commenters stated that exceptions should be added for the purpose of seeking 
involuntary commitment of an individual who poses a likelihood of serious harm to self or others 
by reason of a substance use disorder, in accordance with applicable provisions of state law and 
subject to appropriate terms regarding the continued confidentiality of such data. Another 
commenter stated that the rule should specifically permit continued data collection of substance 
use disorder by state agencies. Another commenter stated that an exception limited disclosures to 
law enforcement and other appropriate parties in the event a committed patient escapes from a 
treatment facility, and to other part 2 programs and appropriate state agencies as necessary for 
purposes of discharge planning or transferring a patient without consent. 


SAMHSA Response: 





With respect to the comments recommending aligning with HIPAA, SAMHSA has 
attempted to do so in this final rule to the extent the change was permissible under 42 U.S.C. 
290dd-2. At the same time, part 2 and its governing statute are separate and distinct from 
HIPAA and its implementing regulations. Because of its targeted population, part 2 provides 
more stringent federal protections than most other health privacy laws, including HIPAA. 

As stated in the preamble discussion of the applicability (§ 2.12) in the NPRM, 
SAMHSA considered options for defining what information is covered by part 2, including 


defining covered information based on the type of substance use disorder treatment services 


71 


provided instead of the type of facility providing the services. SAMHSA however, rejected that 
approach because more substance use disorder treatment services are occurring in general health 
care and integrated care settings, which typically are not covered under the current (1987) 
regulations. Providers who in the past offered only general or specialized health care services 
(other than substance use disorder services) now, on occasion, provide substance use disorder 
treatment services, but only as incident to the provision of general health. 

The definitions of “Part 2 program” and “Program” are critical to applicability. These 
terms are defined in § 2.11. The response to comments on the definition of program in this final 
rule further clarifies coverage. Holding a waiver to prescribe buprenorphine or holding a waiver 
and prescribing buprenorphine as part of primary care practice does not lead to categorical 
inclusion of providers in the definition of a part 2 program; such determinations are fact- 
specific. The same concept applies whenever determining applicability. 

With respect to comments on part 2 coverage, although the statute may not be explicit 
with regard to certain provisions in 42 CFR part 2, the statute directs the Secretary to prescribe 
regulations to carry out the purpose of the statute, which may include definitions and may 
provide for such safeguards and procedures that in the judgment of the Secretary are necessary or 
proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or 
to facilitate compliance therewith. For various models of integrated behavioral health, SAMHSA 
strives to facilitate information exchange within new health care models while addressing the 
legitimate privacy concerns of patients seeking treatment for a substance use disorder. These 
concerns include, but are not limited to, the potential for loss of employment, loss of housing, 
loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, 


and incarceration. 
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The response to comments on the definition of program in this final rule further clarifies 
coverage. 

SBIRT is a cluster of activities designed to identify people who engage in risky substance 
use or who might meet the criteria for a formal substance use disorder. Clinical findings indicate 
that the overwhelming majority of individuals screened in a general medical setting do not have 
a substance use disorder and do not need substance use disorder treatment. A health care 
provider that does not otherwise meet the definition of a part 2 program would not become a part 
2 program simply because they provide SBIRT within the context of general health care. 

For behavioral health facilities, SAMSHA notes that federally qualified health centers, 
community mental health centers, and behavioral health clinics meeting the definition of a part 2 
program must comply with 42 CFR part 2 and those that do not meet the definition of part 2 
program do not have to comply with 42 CFR part 2 unless they become a lawful holder of patient 
identifying information because they received patient identifying information via consent (along 
with a notice of prohibition on re-disclosure) or as permitted under the part 2 statute, regulations, 
or guidance. Rather than offer definitions or outline an exhaustive list of entities that could meet 
the definition of a part 2 program, we prefer to offer illustrative examples in the explanation of 
applicability provision of these regulations (see § 2.12(e)(1)). SAMHSA has not received 
questions in the past concerning the definition of general medical facility. 

Regarding the question of part 2 applicability when a patient directs electronic disclosure 
for a consumer health application, the NPRM preamble discussion of lawful holder in the 
Terminology Changes section stated: “A patient who has obtained a copy of their records or a 
family member who has received such information from a patient would not be considered a 


‘lawful holder’ of patient identifying information in this context.” Information disclosed by a 
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part 2 program or a lawful holder of patient identifying information is covered by 42 CFR part 2 
and requires patient consent unless disclosure is otherwise permitted under the part 2 statute or 


regulations. Therefore, it is permissible for a patient to disclose information to a personal health 





record or similar consumer health application but if a part 2 program or lawful holder of patient 
identifying information discloses that information to the personal health record or other similar 
consumer application on behalf of the patient, consent would be required. 

Regarding patient records and Medicaid overutilization control programs, the prohibition 
on re-disclosure (§ 2.32) applies to information that would identify, directly or indirectly, an 
individual as having been diagnosed, treated, or referred for treatment for a substance use 
disorder, such as indicated through standard medical codes, descriptive language, or both, and 
allows other health-related information shared by the part 2 program to be re-disclosed, if not 
prohibited by any other applicable laws. Under the current statutory authority, patient records 
pertaining to substance use disorder may be shared only with the prior written consent of the 
patient or as permitted under the part 2 statute and implementing regulations. In addition, the 
authorizing statute specifically enumerates the areas of non-applicability, which includes the 
reporting under state law of incidents of suspected child abuse and neglect to appropriate state 
and local authorities. Therefore, SAMHSA did not adopt this requested change. Regarding elder 
abuse, if a program determines it is important to report elder abuse, disabled person abuse, or a 
threat to someone’s health or safety, or if the laws in a program’s state require such reporting, the 
program must make the report anonymously, or in a way that does not disclose that the person 
making the threat is a patient in the program or has a substance use disorder, or obtain a court 


order if time allows. 
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Some commenters asked about the applicability of the part 2 regulations to various 
facilities or entities, such as rehabilitation facilities, dentists, and pharmacies. In summary, if a 
provider is not a general medical facility or does not hold itself out as providing, and provides, 
substance use disorder diagnosis, treatment or referral for treatment, it would not meet the first 
section of the definition of “Program.” If the provider is either not an identified unit within a 
general medical facility that holds itself out as providing, or does not provide, substance use 
disorder diagnosis, treatment, or referral for treatment, it does not meet the second section of the 
definition of “Program.” If the provider either does not consist of medical personnel or other 
staff in a general medical facility whose primary function is the provision of substance use 
disorder diagnosis, treatment, or referral for treatment or is not identified as such specialized 
medical personnel or other staff by the general medical facility, it does not meet the third section 
of the definition of “Program.” Whether embedded behavioral health information is covered by 
42 CFR part 2 depends on several factors: First, only patient identifying information is subject to 
part 2 protections. If the acute care facility meets the definition of a part 2 program and the 
information would identify, directly or indirectly an individual as having been diagnosed, 
treated, or referred for treatment for a substance use disorder, the information is subject to part 2 
protections; and if the acute care facility received the patient identifying information via a valid 
part 2 consent (with a notice of prohibition on re-disclosure) or as otherwise permitted under the 
part 2 statute or regulations, the information is subject to part 2 protections. 

With respect to pharmacies, when they receive prescriptions directly from part 2 
programs, the patient identifying information related to those prescriptions is subject to 42 CFR 
part 2 confidentiality restrictions (as indicated by the accompanying prohibition on re-disclosure 


notice). Pharmacies that receive paper prescriptions directly from patients (and do not receive a 
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prohibition on re-disclosure notice) are, therefore, not subject to the part 2confidentiality 
restrictions. However, if the pharmacy or pharmacist meets the definition of a part 2 program, 
they must comply with the part 2 regulations. 

In response to the commenter’s request for clarification that services are only covered 
under part 2 if the personnel are identified as providing substance use disorder treatment outside 
the organization to the general public, the third section of the definition of program uses the term 
“personnel” to state that medical personnel or other staff in a general medical facility whose 
primary function is the provision of substance use disorder diagnosis, treatment or referral for 
treatment and who are identified as such providers. This section of the definition of program 
does not include the phrase “holds itself out” as do the first two sections of the definition of 
program. In the third section of the definition, the medical personnel or other staff must be 
identified as such specialized medical personnel or other staff by the general medical facility. 

Although commenters requested an exclusion for employee assistance programs, the 
regulation text at § 2,12(d)(1) states: “Coverage includes, but is not limited to, those treatment or 
rehabilitation programs, employee assistance programs, programs within general hospitals, 
school-based programs, and private practitioners who hold themselves out as providing, and 
provide substance use disorder diagnosis, treatment, or referral for treatment. 

Commenters requested an exemption for communications between a part 2 program and 
another entity under common ownership or control, but SAMHSA declines to make the 
requested change. However, as stated in the regulatory text (§ 2.12(c)(3) restrictions on 
disclosure in these regulations do not apply to communications of information between or among 


personnel having a need for the information in connection with their duties that arise out of the 
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provision of diagnosis, treatment, or referral for treatment of patients with substance use 
disorders if the communications are: 

(i) Within a part 2 program; or 

(ii) Between a part 2 program and an entity that has direct administrative control over the 
program.” 

SAMHSA declines to add the various suggested exceptions to the applicability of the 
part 2 regulations, and encourages all stakeholders to consult with legal counsel to ensure 
compliance with 42 CFR part 2, as well as any other applicable federal, state, or local laws or 
regulations. SAMHSA is limited by statute to the specific exceptions listed in the law; it cannot, 
therefore, add exceptions. As stated previously, SAMHSA is authorized to promulgate 
regulations and to provide such safeguards and procedures necessary to carry out the purposes of 
the authorizing statute. SAMHSA has endeavored to strike an appropriate balance between the 
important privacy protections afforded patients with substance use disorders and the necessary 
exchange of information to improve treatment outcomes for these individuals. 

F. Confidentiality Restrictions and Safeguards (§ 2.13) 

SAMHSA is modifying this section slightly from that proposed in the NPRM by adding a 
paragraph clarifying responsibility for the List of Disclosures requirement. As discussed in the 
proposal, because SAMHSA is revising the consent requirements to allow a general designation 
in certain circumstances, we have revised § 2.13 by adding a paragraph (d), which requires that, 
upon request, patients who have included a general designation in the “To Whom” section of 
their consent form must be provided, by the entity that serves as an intermediary, a list of entities 
to which their information has been disclosed pursuant to the general designation (List of 


Disclosures). 
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The new § 2.13(d) specifies that patient requests for a list of entities to which their 
information has been disclosed must be in writing. Consistent with the NPRM, we consider 
“written” to include both paper and electronic documentation. The list is limited to disclosures 
made within the past 2 years. 

Further, entities named on the consent form that disclose information pursuant to a 
patient’s general designation (entities that serve as intermediaries as described in 
§ 2.31(a)(4)(11)(B)) must respond to requests for a List of Disclosures in 30 or fewer days of 
receipt of the request. 


1. Delayed Implementation of List of Disclosures Provision 





Public Comments: 





Several commenters raised concerns about how to interpret the two-year delayed 
implementation of List of Disclosures and whether the general designation will be used during 
that period. A commenter expressed concern about the immediate implementation of the general 
designation while the right of patients to obtain a List of Disclosures is postponed for two years. 

Other commenters stated that, based on the NPRM language, HIEs will not be able to 
take advantage of a general designation on the consent form until they have the ability to comply 
with the List of Disclosures requirement. 

Commenters said SAMHSA needs to clarify that the duty to begin collecting and storing 
disclosures under the general designation begins two years after the effective date of the final 
rule and not before. 

A commenter recommended that the right to obtain a list of those who have received the 


patient’s information should be implemented simultaneously with any other revisions to the part 
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2 regulation. Another commenter said SAMSHA should implement the List of Disclosures 
requirement within 90 days. 


SAMHSA Response: 





SAMHSA clarifies that the general designation on a consent form may not be used until 
entities have the ability to comply with the List of Disclosures provision. However, SAMHSA 
has removed the two-year delayed compliance date for the List of Disclosures provision for the 
reasons discussed in Section IV above. 


2. Responsibilities under the List of Disclosures Process 





Public Comments: 





Commenters said SAMHSA should allow non-treating entities, that do not have a treating 
provider relationship with the patient whose information is being disclosed and serve as 
intermediaries named on the consent form, to release the List of Disclosures to the facility where 
the patient receives care (or the part 2 program), rather than to the patient directly. One 
commenter said because this process, in which the patient/consumer requests and receives the 
List of Disclosures from the site where they receive care/part 2 program, rather than from the 
HIE, resembles the process currently being used to meet HIPAA disclosure requirements, it 
could be implemented without requiring additional burdens on HIEs. Since most HIEs are not 
patient-facing, commenters stated that there are typically not policies or procedures in place for 
interacting with patients directly, particularly for patient authentication, and suggested it be done 
at the provider level, and that the patient communication be maintained at the part 2 program 
level. 

Other commenters said SAMHSA does not specify what responsibility, if any, the part 2 


program has to coordinate or verify the compliance of the CCO or HIE with the List of 


1 


disclosures. One commenter said if SAMHSA intends for the part 2 program to have any 
responsibilities beyond this, then it should obtain additional feedback from part 2 programs 
before proposing any new obligations. Some commenters appeared to assume the part 2 program 
was responsible for the List of Disclosures and requested that SAMHSA modify the requirement 
to impose the duty directly upon the HIE, ACO, CCO, or research institution to provide the 
listing to the patient, rather than the part 2 program. 

A commenter said SAMSHA should clarify what entities must be included on the List of 
Disclosures when the entity is part of a complex healthcare system. 

Another commenter said the absence of requiring disclosure of individual names 
undermines the intent of the List of Disclosures and undermines the purpose of expanding the 
“To Whom” provision and the patient's incentive or willingness to consent to a general 
designation. The commenter said the provision must be very explicit in disclosing those agencies 
or individuals that will receive the patients’ medical information. 


SAMHSA Response: 





Regarding the suggestion to allow entities that serve as intermediaries as 
described by § 2.31(a)(4)(i11)(B) to release the List of Disclosures to the facility where the patient 
receives care (or the part 2 program) or with the providers to whom the disclosure was made, 
rather than directly to the patient, SAMHSA has decided to retain the NPRM language and 
proposed responsibilities because the party making the disclosure under the general designation 
should be accountable for that disclosure. SAMHSA has clarified in paragraph § 2.31(d)(3) that 
the part 2 program is not responsible for complying with the List of Disclosures requirement; the 
entity that serves as an intermediary, as described in § 2.31(a)(4)(Gii)(B), is responsible for 


compliance with the List of Disclosures requirement. 


80 


SAMHSA plans to issue subregulatory guidance that clarifies how the patient may 
request the List of Disclosures from intermediaries as described by § 2.31(a)(4)(i11)(B). 

On the responsibility of part 2 providers to comply with the List of Disclosures 
requirement, SAMHSA agrees with the commenters that more clarity is needed. In the 
circumstance in which a patient provides a general designation in the “To Whom” part of a 
consent form, the part 2 program may not know to whom the disclosures have been made by the 
entity that serves as an intermediary. As such, the List of Disclosures provision requires that: the 
entity named on the consent form that discloses information pursuant to a patient's general 
designation (the entity that serves as an intermediary, as described in § 2.31(a)(4)(i11)(B)) must: 
(i) Respond in 30 or fewer days of receipt of the written request; and 
(11) Provide, for each disclosure, the name(s) of the entity(ies) to which the disclosure was made, 
the date of the disclosure, and a brief description of the patient identifying information disclosed. 
Further, paragraph (d)(3) clarifies that the part 2 program is not responsible for complying with 
§ 2.13(d). 

In response to the request for clarification on what entities must be listed on the List of 
Disclosures and suggestion that individuals (rather than entities with whom such individuals are 
affiliated) must be listed , SAMHSA clarifies that the List of Disclosures must include a list of 
the entities to which the information was disclosed pursuant to a general designation. Individuals 
who received patient identifying information pursuant to the general designation on a consent 
form should be included on the List of Disclosures based on an entity affiliation, such as the 
name of their practice or place of employment. However, if entities that are required to comply 


with the List of Disclosures requirement wish to include individuals on the List of Disclosures, in 
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addition to the required data elements which are outlined in § 2.13(d)(2)(ii), nothing in this rule 
prohibits it. 

SAMHSA considered requiring both individuals and entities to be included on the List of 
disclosures but, after reviewing the Health Information Technology Privacy Committee's 
(HITPC’s) recommendations 
(https://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf), decided to require, at a 
minimum, a list of entities. These recommendations addressed the HITECH requirement that 
HIPAA covered entities and business associates account for disclosures for treatment, payment, 
and health care operations made through an EHR. The Transmittal Letter recommended, “that 
the content of the disclosure report be required to include only an entity name rather than a 
specific individual as proposed in the NPRM.” In addition, the Transmittal Letter noted that the 
Organization for Economic Cooperation and Development (OECD) principles, the Fair Credit 
Reporting Act, and the Privacy Act of 1974 do not require that the names of individuals be 
provided. The HITPC, a committee established by the American Recovery and Reinvestment 
Act of 2009 in accordance with the Federal Advisory Committee Act (FACA), provides 
recommendations on health IT policy issues to the ONC for consideration. The HITPC gave a 
broad charge to its Privacy & Security Tiger Team (Tiger Team) “to provide recommendations 
on how to implement the requirements of the HITECH Act of 2009 for covered entities and 
business associates to account for disclosures for treatment, payment and health care operations 
made through an EHR. In the referenced Transmittal Letter, the HITPC did not focus on 42 CFR 
part 2, however, given the similarities of the issues and the importance of the lessons the Tiger 
Team learned, SAMHSA was persuaded by the Tiger Team’s discussion. 


3. Technological Challenges and Burden of the List of Disclosures Provision 
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Public Comments: 





Public Comments: 





Many commenters argued that entities may not be equipped to maintain and provide a 
List of Disclosures. A few commenters expressed general concern about the burden associated 
with the List of Disclosures provision. Several commenters added that the burden is 
disproportionate to the anticipated benefit. Other commenters specified areas of burden, 
including administering consents; developing a tracking system; manually reviewing or auditing 
all records; and transmitting information by U.S. mail. Some comments mentioned the 
operational impact of the provision, including the impact on existing business practices; 
uncertainty about interoperability with additional systems; and operationalizing a different 
approach for HIPAA. One commenter argued that HIPAA already provides sufficient protections 
through the requirement for tracking and providing an accounting of certain disclosures. Another 
commenter expressed concern that there are varying levels of technical resources available for 
compliance with the rule. 

A commenter warned that one component of the Affordable Care Act is its focus on 
sharing of certain medical information and the proposed regulation may prevent realization of 
that goal. Similarly, another commenter said, if HIEs are included in the disclosure request, 
entities would be left with the choice of either not sending this information, which would then 
not be available in emergent situations, or not complying with this requirement. Another 
commenter said creating additional accounting requirements, without further clarification on the 
interoperability of such EHR systems, can create a state of continuous uncertainty and flux, 
deterring investment into substance use disorder treatment programs within integrated care 


networks. 
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Some commenters stated that the proposed provision conflicts with existing HIPAA 
accounting of disclosure requirements or state laws. Other commenters said it would be 
administratively burdensome to implement, particularly in light of the fact that the health 
information technology industry is still waiting for OCR to determine how it will address the 
HITECH changes to HIPAA accounting of disclosures. 

For the above reasons, some commenters urged SAMHSA not to include the List of 
Disclosures provision in the final rule; delay promulgating until OCR decides how it will 
approach the HITECH provisions concerning the HIPAA accounting of disclosures requirement; 
and engage with OCR, providers, and vendors to fully understand the implications of such a 
requirement before establishing an implementation date for the List of Disclosures requirement. 


SAMHSA Response: 





SAMHSA is including the List of Disclosures requirement in the final rule to balance the 
flexibility of allowing a general designation in the “To Whom” section of the consent form 
against the protection of patient privacy. We understand commenter concerns about the technical 
feasibility of implementing the List of Disclosures requirement. However, there is no timeframe 
in which part 2 programs and lawful holders need to comply with the List of Disclosures 
requirements; only the condition that if they choose to have the option to disclose information 
pursuant to a general designation on the “To Whom” part of the consent form, they must also be 
capable of providing a List of Disclosures upon request per § 2.13(d). Because the general 
designation is not mandated on a consent form, this allows entities time to develop and test the 
technology needed for compliance with the List of Disclosures requirements or to decide not to 
disclose information pursuant to a general designation and not implement technology needed for 


compliance with the List of Disclosures provision. 
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Public Comments: 





A commenter said the List of Disclosures will impose a complex burden upon all parties 
involved in the disclosure and receipt of substance use disorder treatment, asserting that the 
disclosing party — if it is not a part 2 program — would need to know that the information being 
disclosed is subject to the part 2 requirements. The commenter said there may be a question of 
whether this type of disclosure would be prohibited per the Prohibition on re-disclosure 
provision, and this becomes more complex if further disclosures or re-disclosures take place. 


SAMHSA Response: 





SAMHSA responds that the entity that serves as an intermediary should be provided a 
copy of the part 2-compliant consent form or the pertinent information on the consent form 
necessary for the intermediary to comply with the signed consent. The providers with a treating 
provider relationship with the patient whose information is being disclosed would be aware of 
the part 2 protections because the disclosure would also be accompanied by the prohibition on 
re-disclosure notice. 


Public Comments: 





A commenter said SAMHSA has not addressed whether there will be a cost to the patient 
for obtaining a List of Disclosures. If patients will be required to pay a fee for this list of 
disclosures, the commenter said SAMHSA should establish a reasonable fee for the provision of 
the List of Disclosures. 


SAMHSA Response: 





SAMHSA strongly encourages entities to provide the List of Disclosures at no 
charge to the patient. 


4. Recommendations to Further Protect Patient Privacy 
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Public Comments: 





A commenter said SAMHSA should require the List of Disclosures to include all 
disclosures of the patient's health information, whether such disclosure was made pursuant to a 
consent form, QSOA, medical emergency, or any other means. Similarly, another commenter 
stated that, when a record of all uses and disclosures already exists, a program should be required 
to make that record available to a patient upon request. Other commenters asserted that the List 
of Disclosures should be presented to the patient at the time the consent is signed, rather than 
after the disclosures have been made. A commenter said patients should also be given the 
option, at the time of signing, to cross out entities to whom they do not want their information 
disclosed. Also, a commenter said patients should be informed of changes to the list that may 
now have access to their information. 

Some commenters expressed concern that the List of Disclosures would be limited to 
disclosures made within the past two years, which does not allow the patient to learn about past 
data breaches. Some commenters recommended expanding the time period to five years or not 


including a time limit. 





SAMHSA Response: 

In response to these concerns and recommendations about increasing patient privacy 
rights, SAMHSA clarifies that the List of Disclosures provision was proposed in the NPRM as a 
way to balance the revision to the consent form allowing a more general designation in the “To 
Whom.” section, which is optional. The List of Disclosures provision is limited to information 
disclosed pursuant to the general designation by the entity that serves as the intermediary, but 
these entities as well as part 2 programs are not prohibited from providing patients with all 


available information. Patients will have the right to request this List of Disclosures and have it 
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produced in a timely fashion; however, SAMHSA has chosen not to require entities to provide 
this information at the time of patient consent as this would be impossible because disclosure of 
the patient’s information has not occurred at that point. SAMHSA also emphasizes that patients 
are not required to use a general designation in the “To Whom” section of the consent form. 
Therefore, patients can limit disclosures by a more concrete specification (1.e., named 
individual(s)). 

In response the comments on expanding the time period that the List of Disclosures 
covers, this final rule’s provision to limit the List of Disclosures to those made within the last 
two years does not preclude an entity that serves as an intermediary from providing the patient 
with a list covering disclosures made for periods greater than two years. 


Public Comments: 





A commenter said SAMHSA should not include the sample language for a request for a 
List of Disclosures under the general designation in the final rule because HIPAA has shown that 
entities construe such sample language as mandates to use the sample language, thereby making 
it more difficult for an individual to request such information, and hindering their ability to 
obtain such information contrary to the intent of the proposed rule. The commenter suggested 
that SAMHSA, as part of this rule or in subregulatory guidance at a later date, recommend that 
certain criteria be included as part of an individual’s request for such disclosures. 


SAMHSA Response: 





SAMHSA did not intend for the sample language for a request for a list of disclosures 
provided in the NPRM to be construed as a requirement for requesting a List of Disclosures, but 
rather to assist patients in making such a request. SAMHSA is retaining the sample language in 


this rule. 
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Public Comments: 





A commenter asserted that states can set a higher standard than part 2, but the NPRM 
language would lead the patient to think that they could get information via unencrypted email. 
The commenter suggested the provision be modified to indicate that responses sent to the patient 
electronically may be sent by unencrypted email at the request of the patient “so long as it is not 
prohibited by applicable law.” In addition, the commenter said the final rule should require 
patients to be notified that there may be some level of risk that the information in an unencrypted 
email could be read by a third party. In addition, the commenter said the rule should state that, if 
patients are notified of the risks and still prefer unencrypted email, the patient has the right to 
receive the information in that way, and entities are not responsible for unauthorized access of 
the information while in transmission to the patient based on the patient's request. 


SAMHSA Response: 





The language regarding unencrypted email transmissions appears in the NPRM preamble 
only and acknowledges both encrypted and unencrypted email as acceptable modes of 
transmission. The language goes on to say: “Responses sent to the patient electronically may be 
sent by encrypted transmission (e.g., encrypted email or portal), or by unencrypted email at the 
request of the patient, so long as the patient has been informed of the potential risks associated 
with unsecured transmission. Patients should be notified that there may be some level of risk that 
the information in an unencrypted email could be read by a third party. If patients are notified of 
the risks and still prefer unencrypted email, the patient has the right to receive the information in 
that way, and entities are not responsible for unauthorized access of the information while in 
transmission to the patient based on the patient's request. Before using an unsecured method to 


respond to a request for a list of disclosures, an entity should take certain precautions, such as 
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checking an email address for accuracy before sending it or sending an email alert to the patient 
for address confirmation to avoid unintended disclosures.” SAMHSA does not intend to be 
prescriptive regarding how the information is relayed to the patient or to preempt applicable state 
law that may prohibit unencrypted transmission (see § 2.20). 


Public Comments: 





A commenter said the NPRM abandoned the current statement that the rule does not 
restrict a disclosure that “an identified individual is not and has never been a patient.” The 
commenters said the new approach militates against fishing by third parties. 


SAMHSA Response: 





SAMHSA agrees with the commenter that prohibiting a disclosure that “an identified 
individual is not and has never been a patient” mitigates against fishing by third parties. In the 
NPRM, SAMHSA proposed to remove the concept from § 2.13(c)(2) that the regulations do not 
restrict a disclosure that an identified individual is not and never has been a patient and has 
retained this position in the final rule. 


Public Comments: 


Commenters made other recommendations relating to the proposed List of Disclosures 
requirement focused on generally improving patients’ rights, including suggestions to keep 
information confidential; notify when a treating provider has accessed the patient’s confidential 
information; ensure patient-approved information sharing; provide a process by which an 
individual can raise a complaint; and disclose to patients in plain language. 


SAMHSA Response: 





SAMHSA acknowledges and shares the commenters’ concerns with patient privacy. We 
believe that the List of Disclosures requirement as proposed in the NPRM is adequate to inform 


patients of how their information has been shared in the event that they provided a general 
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designation in the “To Whom” portion of their consent. SAMHSA encourages entities to provide 
the information associated with a List of Disclosures in plain language and with sufficient 
specificity so that patients understand the List of Disclosures, including the brief description of 
the patient identifying information disclosed. 


5. Other Comments and Recommendations on the List of Disclosures Provision 





Public Comments: 





One commenter recommended that SAMHSA allow consent to include a description of 
HIE as a function to support patient care, and exclude this function from the information 
disclosure accounting [List of Disclosure] requirement. 

A commenter recommended that SAMHSA offer additional guidance on best practices 
and make infrastructure grants available to create the necessary modifications within providers’ 
EHRs or other consent tracking systems. 

Some commenters made other suggestions. For example, a commenter requested that 
SAMHSA define “in writing” and “written requests” as those terms are used in the List of 
Disclosures provision (§ 3.13(d)). Another commenter urged SAMHSA to explore options to 
reduce the cost of the List of Disclosures provision and further clarify how the enhanced 
protection of substance use disorder treatment information can be consistent and interoperable 
with other health systems. 


SAMHSA Response: 





As for the request to define “in writing” and “written requests” as those terms are used in 
the List of Disclosures provision, in the NPRM preamble discussion of Terminology Changes, 
SAMHSA explained that for the purposes of this regulation, we also propose that the term 


“written” include both paper and electronic documentation. 
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The consent requirements (§ 2.31) include the option of including in the “To Whom” 
section of the consent form the name of an entity that does not have a treating provider 
relationship with the patient whose information is being disclosed (and is not a third-party payer 
that requires patient identifying information for the purposes of reimbursement for the services 
rendered by the part 2 program) and either the name(s) of an individual participant(s); or the 
name(s) of an entity participant(s) that has a treating provider relationship with the patient whose 
information is being disclosed ; or a general designation of an individual or entity participant(s) 
or class of participant(s) who has a treating provider relationship with the patient whose 
information is being disclosed. Any HIE that serves as an intermediary is subject to the List of 
Disclosures requirement regardless of its other “functions.” Regarding the requests for guidance, 
SAMHSA may issue additional subregulatory guidance on this provision after this final rule is 
published. 

G. Security for Records (§ 2.16) 

SAMHSA is adopting this section as proposed except for some non-substantive, technical 
changes to the language in proposed § 2.16(a)(2)(i). SAMHSA is modernizing this section to 
address both paper and electronic records. First, SAMHSA revised the heading by deleting the 
word “written” so that it now reads: Security for Records. Secondly, SAMHSA clarified that this 
section requires both part 2 programs and other lawful holders of patient identifying information 
to have in place formal policies and procedures for the security of both paper and electronic 
records. Finally, SAMHSA has replaced language in other sections of part 2 with a reference to 
the policies and procedures established under § 2.16, where applicable. As noted above, 
SAMHSA has made some technical changes to the language in proposed § 2.16(a)(2)(1). In 


particular, to more closely align with the HIPAA Security Rule, SAMHSA has revised 
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§ 2.16(a)(2)(i) to require that part 2 program security for electronic records policies must include 
“creating, receiving, maintaining, and transmitting such records.” The proposed language was 
“copying, downloading, forwarding, transferring, and removing such records.” 


Public Comments: 





Some commenters supported the proposed provisions on security and stated that they 
provide appropriate protections. However, many commenters asserted that the security 
provisions of HIPAA should be followed and that those requirements should satisfy the part 2 
provisions. 

A commenter also supported the use of internal confidentiality agreements. 

A commenter expressed concern that the rule does not address what a non-part 2 provider 
who receives part 2 data must do to ensure adequate safeguards are in place. Similarly, another 
commenter expressed concern about security obligations that would be placed on other lawful 
holders, such as courts, law firms, family members, or other private citizens who are often not 
the types of providers subject to the current (1987) part 2. 

One commenter recommended an expiration date for electronic records. Another 
commenter recommended that the use of secure, certified HIT be added as a requirement for part 
2 program providers, as well as any services provided that conduct audits and evaluations related 
to transition of patient information. 


SAMHSA Response: 





SAMHSA appreciates the support of commenters on this issue. On the issue of HIPAA, 
covered entities must comply with all regulations that are applicable to them. Because some 
entities subject to this rule are not subject to HIPAA, SAMHSA may provide subregulatory 


guidance after the rulemaking on the extent to which compliance with HIPAA security 
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requirements, for those subject to them, will satisfy § 2.16. SAMHSA emphasizes that if an 
entity already has security practices and policies in place that meet the requirements of this rule, 
whether those practices were developed to meet the regulatory requirements or simply as a 
matter of good practice, the entity may not need to take additional action on this issue. In the 
NPRM, SAMHSA suggested resources for part 2 programs and other lawful holders for 
developing formal policies and procedures including materials from the HHS Office for Civil 
Rights (e.g., Guidance Regarding Methods for De-identification of Protected Health Information 
in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy 
Rule), and the National Institute of Standards and Technology (NIST) (e.g., the most current 
version of the Special Publication 800-88, Guidelines for Media Sanitization). 

On the issue of use of internal confidentiality agreements and the required use of secure, 
certified Health IT, § 2.16 provides requirements for formal policies and procedures to 
reasonably protect against unauthorized uses and disclosure of patient identifying information 
and to protect against reasonably anticipated threats or hazards to the security of patient 
identifying information. A part 2 program or other lawful holder of patient identifying 
information may impose any additional requirements that they feel will enhance protections. 

With regard to security of the records lawfully obtained by non-part 2 programs, § 2.16 
applies equally to these entities (referred to as lawful holders of patient identifying information). 
The required formal policies and procedures are intended to ensure protection of patient 
identifying information when electronic records are exchanged electronically using health IT, as 
well as when they are exchanged using paper records. In addition, the formal policies and 
procedures will have to address, among other things, the sanitization of hard copy and electronic 


media, which is addressed in the NPRM discussion of Disposition of Records by Discontinued 
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Programs (§ 2.19). On the concern raised that § 2.16 places an unreasonable burden on courts, 
law firms, family members, or other private citizens who may obtain the information, a patient 
who has obtained a copy of his or her records or a family member or private citizen who has 
received such information from a patient would not be considered a lawful holder of patient 
identifying information in this context. Generally, consents and permissible disclosures are 
initiated by a lawful holder who desires the information and, therefore, the lawful holder would 
already be familiar with part 2. 

H. Disposition of Records by Discontinued Programs (§ 2.19) 

SAMHSA is modifying this section from that proposed in the NPRM in response to 
public comments, as discussed below. In this section, SAMHSA addresses the disposition of 
both paper and electronic records by discontinued programs, including added requirements for 
sanitizing paper and electronic media, which is distinctly different from deleting electronic 
records and may involve clearing (using software or hardware products to overwrite media with 
non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in 
order to disrupt the recorded magnetic domains) the information from the electronic media. If 
circumstances warrant the destruction of the electronic media prior to disposal, destruction 
methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. 
SAMHSA expects the process of sanitizing paper media (including printer and facsimile (FAX) 
ribbons, drums, etc.) or electronic media to be permanent and irreversible, so that there is no 
reasonable risk that the information may be recovered. For the purpose of this rule, SAMHSA 
makes a distinction between electronic devices (something that has computing capability, such as 
a laptop, tablet, etc.) and electronic media (something that can be read on an electronic device, 


such as a CD/DVD, flash drive, etc.). 
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Public Comments: 





A commenter expressed support for the proposal related to disposition of records by 
discontinued programs. Another commenter recommended that the rule allow for “selective 
sanitizing,” using methods that will not require overwriting the entire electronic media. Two 
commenters asked about patient records when a program is acquired by another program. A 
commenter suggested that the rule should address situations in which a patient cannot be located 
or is deceased and cannot give consent. The commenter provided multiple suggestions relating to 
disposition of records, including permit more flexible means of storage; permit scanning and 
electronic storage of records; do not require transfer to a portable device; offer an option to store 
records in a production encrypted network storage device. This commenter also asserted that 
sanitation of electronic communications would not be feasible in organizations storing millions 
of electronic records; requiring storage of a portable electronic device in a sealed container does 
not add additional security if it is already encrypted; and deleting substance use information from 
records does not conceal the fact that someone has a substance use disorder but instead 


highlights the fact. 





SAMHSA Response: 

SAMHSA acknowledges the support for the proposed provision. With regard to the issue 
of multiple sources of records, we have revised the language in the final rule to allow one year to 
complete the process of sanitizing paper or electronic media (see § 2.19(b)(2)(i1i)). This change 
should allow for select patient records to be removed from both the specific site and any 
operational sources without disrupting other patient records. Regarding acquisition of one 
program by another, the § 2.19(a) regulatory text outlines the exceptions to removing patient 


identifying information from its records or destroying its records. 
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If the patient cannot be located or is deceased and cannot give consent, the part 2 
program that has discontinued operations or is taken over or acquired by another program, must 
remove the patient’s identifying information from its records, including sanitizing any associated 
hard copy or patient records or patient identifying information residing on electronic media, to 
render the patient identifying information non-retrievable in a manner consistent with policies 
and procedures under § 2.16. 

Regarding comments on more flexible means of electronic record storage, SAMHSA has 
revised § 2.19(b)(2) to allow for more flexibility. The revised language allows for electronic 
records to be transferred to a portable electronic device with implemented encryption to encrypt 
the data at rest so that there is a low probability of assigning meaning without the use of a 
confidential process or key and implemented access controls for the confidential process or key 
(see § 2.19(b)(2)(i)); or transferred, along with a backup copy, to separate electronic media, so 
that both the records and the backup have implemented encryption to encrypt the data at rest so 
that there is a low probability of assigning meaning without the use of a confidential process or 
key and implemented access controls for the confidential process or key (see § 2.19(b)(2)(ii)). 
For electronic storage of the records, if the records are scanned, they would have to be 
maintained consistent with § 2.19(b)(2) and the paper records would have to be destroyed 
consistent with § 2.16. Regarding portable device storage, the final § 2.19 language specifies that 
the portable electronic device or the original and backup electronic media must be sealed in a 
container along with any equipment needed to read or access the information. The sealed 
container prevents the portable electronic device or the original and backup electronic media 
from being separated from the equipment needed to read or access the information. 


I. Notice to Patients of Federal Confidentiality Requirements (§ 2.22) 
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SAMHSA is adopting this section as proposed. Consistent with the NPRM, SAMHSA 
considers the term “written” to include both paper and electronic documentation. Accordingly, 
the notice to patients may be either on paper or in an electronic format. SAMHSA also revised 
§ 2.22(b)(2) to require the statement regarding the reporting of violations to include contact 
information for the appropriate authorities. 


Public Comments: 





Several commenters expressed support for the proposed provisions, particularly the 
allowing of electronic notice, and they encouraged the use of plain language and notices in 
languages other than English. Several commenters recommended that SAMHSA should make a 
sample notice or language available to covered entities. One commenter asked how written 
notice can be provided for encounters that are not in person. 

Other commenters suggested that the patient be given copies rather than written 
summaries of state and federal law; a paper report, if requested; the right to request and obtain 
restrictions; and a description of how patient information may be disclosed for scientific 


research. 





SAMHSA Response: 

The final rule requires that the notice include contact information for the appropriate 
authorities for reporting violations. SAMHSA believes this change will make it easier for 
patients to identify to whom they should file a complaint of a potential violation of part 2. 
Therefore, SAMHSA declines to include a sample complaint form at this time but may consider 
whether to issue one outside of this rulemaking process. SAMHSA also declines to require 
copies rather than summaries of state and federal law because the notice to patients of federal 


confidentiality requirements is required to provide citations to the federal law and regulations 
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that protect the confidentiality of patient records and including information concerning state laws 
and regulations is optional. The notice must also be provided in writing but as was discussed in 
Terminology Changes (§ 2.11), the term “in writing” includes both paper and electronic 
documentation. Because the purpose of the notice is to communicate to the patient the federal 
law and regulations that protect the confidentiality of patient records, SAMHSA declines to 
require anything additional. However, if a part 2 program wishes to provide additional 
information, nothing in this provision prohibits them from doing so. 

J. Consent Requirements (§ 2.31) 

SAMHSA is finalizing the consent requirements in this section, with certain 
modifications as described in greater detail below. In summary, SAMHSA is adopting all 
proposed changes to § 2.31 except for two at this time. In the “From Whom” section of the 
consent requirements (§ 2.31(a)(2)), SAMHSA decided not to finalize its proposal to remove the 
general designation option, but did make minor updates to the terminology in the current (1987) 
regulatory text. As explained in greater detail below, the final “From Whom” provision of the 
consent requirements specifies that a written consent to a disclosure of part 2 information must 
include the specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or 
individual(s) permitted to make the disclosure. SAMHSA also decided not to finalize the 
proposed requirement that a part 2 program or other lawful holder of patient identifying 
information obtain written confirmation from the patient that they understand the terms of the 
consent. 

SAMHSA has revised the section heading from “Form of written consent” to “Consent 
requirements.” SAMHSA also made revisions to the two other sections of the consent form 


requirements: the “To Whom” section and the “Amount and Kind” section. SAMHSA also 
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revised § 2.31 to require a part 2 program or other lawful holder of patient identifying 
information to include on the consent form that patients, when using a general designation in the 
“To Whom” section of the consent form, have the right to obtain, upon request, a List of 
Disclosures (see § 2.13). In addition, SAMHSA revised § 2.31 to permit electronic signatures to 
the extent that they are not prohibited by any applicable law. 


1. General Comments on Consent Requirements 





a. General 


Public Comments: 





SAMHSA received many comments on the proposed rule’s updated consent 
requirements. Some commenters generally supported the new consent requirements. Other 
commenters listed various reasons for their support, including increased facilitation of informed 
patient decisions, increased patient choice with regard to protection of their health information, 
and increased sharing of health care records among providers. One commenter supported the use 
of paper and electronic forms of written consent. 

Many commenters, however, expressed general opposition to the proposed consent 
requirements. Several commenters argued that the proposed rule created unnecessary burdens for 
providers, such as staff training, constant updates to consent forms, and expensive updates to 
provider EHRs. Several commenters argued the proposed consent rules would create obstacles to 
information sharing and integrated care. Specifically, a commenter argued that the “To Whom” 
and “From Whom” format restricts who within organizations can view a patient’s records, 
further hampering coordinated care. Another commenter argued that the proposed consent form 
requirements would make it difficult for many HIEs to exchange part 2 information, and that the 


new requirements do little to promote a patient’s informed consent. A couple of commenters 
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argued that the proposed regulations would reduce access to substance use disorder treatment 
being added by general health care organizations, due to administrative burden and liability 
fears. General health care providers are less likely to add substance use disorder treatment, or 
partner or undertake projects with substance use disorder treatment providers. Another 
commenter stated this rule may result in providers not screening patients for substance use 
disorders and not documenting substance use disorder related information. 

According to a few commenters, the current part 2 regulations exceed the statutory 
requirements that led to the regulations. One commenter suggested that 42 U.S.C 290dd-2 
requires consent to share information and does not allow any shared information to be used for 
prosecution. The commenter goes on to state that nothing in Title 42, U.S.C. section 290dd—2 requires 
an explicit description of what information can be released, or requires time limits on consent. The 


commenter suggested that SAMHSA could reduce confusion and administrative burden by proposing 


revisions that are much more consistent with HIPAA than its current proposal. 


SAMHSA Response: 





Regarding the comments on statutory authority, we do not agree that the regulations in 42 
CFR part 2 exceed the authority provided for in 42 USC 290dd-2. The statute specifies that 
patient identifying information may be disclosed in accordance with prior written patient 
consent, “but only to such extent under such circumstances, and for such purposes as may be 
allowed under regulations prescribed” by the Secretary. 

Regarding concerns about unnecessary burdens for providers, such as staff training, 
constant updates to consent forms, and expensive updates to provider EHRs, these burdens might 
be offset by the benefits of increased in flexibility in the consent requirements. With respect to 


obstacles to information sharing, one of SAMHSA’s goals for this rulemaking is to ensure that 
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patients with substance use disorders have the ability to participate in and benefit from new 
integrated health care models without fear of putting themselves at risk of adverse consequences. 


Public Comments: 





Some commenters stressed that consent forms should be easy to read, accessible to 
limited English proficiency patients, and should meet HIPAA’s plain language requirements. 
Commenters stated that language and literacy concerns could be barriers to actual understanding 
of the form’s contents. Similarly, suggesting that SAMHSA take into account the reading level 
standards in other health programs, including Medicare and Medicaid, one commenter asserted 
that the proposed regulations do not provide adequate options for an individual to easily and 
simply determine who can or cannot access their substance use disorder records. 


SAMHSA Response: 





SAMHSA agrees with the commenters that the consent form should be written clearly so 
that the patient can easily understand the form. SAMHSA is considering issuing subregulatory 
guidance in the future to provide examples of forms that comply with the basic consent 
requirements in 2.31(a). In addition, SAMHSA encourages part 2 programs to be sensitive to the 
cultural and linguistic composition of their patient population when considering whether the 
consent form should also be provided in a language(s) other than English (e.g., Spanish). 


b. Consent Form Validity Period 





Public Comments: 





Several commenters stated that a two-year time limit for the validity of consent is 
insufficient, with some commenters suggesting that consent forms be valid indefinitely or until 
death. For example, one commenter asked why SAMHSA would deny a person who has 


received substance use disorder treatment the right to decide that they want any and all 
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information regarding their treatment shared with any and all of their health care providers 
indefinitely as needed for coordination of care. Another commenter stressed the language of 

§ 2.31(a) was confusing and requested clarification on the permissible length of time a consent is 
valid. 


SAMHSA Response: 





Under § 2.31, a part 2-compliant consent form must list the date, event, or condition upon 
which the consent will expire, if not revoked before. Thus, it is not sufficient under part 2 for a 
consent form to merely state that that disclosures will be permitted until the consent is revoked 
by the patient. It is, however, permissible for a consent form to specify the event or condition 
that will result in revocation, such as having its expiration date be “upon my death.” The rule 
does not set a two-year time limit for consents, as some commenters thought. 


c. Technical Challenges to Proposed Consent Requirements 





Public Comments: 





Commenters expressed concern about the technical challenges providers would face in 
complying with the proposed consent requirements. Generally, commenters expressed concern 
that few, if any, EHR systems and/or HIEs have the capability to segregate substance use 
disorder patient information in a way that could fully support the rule by reflecting the patient’s 
consent choices, and many providers would have to expend significant amounts of funds to 
create or acquire a compliant system. Commenters argued that if providers do not have data 
segmentation capability, they may simply exclude substance use disorder patient data from their 
systems, thus adversely impacting system integration and patient care. 

A couple of commenters asserted that EHR, HIE, and other electronic records systems 


have no way of selecting different levels of consent for treating providers. Specifically, a 
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commenter stated that SAMHSA should remove requirements for varied levels of consent within 
a given organization (e.g., between departments or individuals), instead limiting such variation to 
HIEs that share information between or across organizations. A commenter stated that it is not 
feasible to do individual exclusionary consents in an HIE, especially for an entity that has 
thousands of employees across multiple states. 

A commenter stated that providers in an integrated care network may be precluded from 
performing important quality improvement checks because no set of clinically integrated 
network officials can be expected to have a direct treatment relationship with every patient in the 
large data pools necessary to drive these important public health efforts. 

A commenter stated that the confidentiality of a substance use disorder patient’s 
information should not be compromised if some electronic systems were poorly designed and 
without regard for part 2. Similarly, another commenter stated that technology should be 
regarded as a tool and should not diminish a patient’s privacy rights. 


SAMHSA Response: 





SAMHSA acknowledges the concerns regarding technical challenges to the consent 
requirements and data segmentation more broadly. As stated above, SAMHSA has played a 
significant role in encouraging the use of health IT by behavioral health (substance use disorders 
and mental health) providers and towards minimizing technical burdens through a variety of 
activities. SAMHSA actively participates in the development and stewarding of data standards to 
promote data segmentation and interoperability. Specifically, the Data Segmentation for Privacy 
(DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework facilitated the 
development of standards to improve the interoperability of EHRs containing sensitive 


information that must be protected to a greater degree than other health information due to 42 
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CFR part 2 and similar state laws. The DS4P standards were used in several pilot projects, 
including the Department of Veterans Affairs (VA)/SAMHSA Pilot, which implemented all the 
DS4P use cases and passed all conformance tests; and SAMHSA’s Opioid Treatment Program 
(OTP) Service Continuity Pilot that connected OTPs to an HIE to facilitate continuity of care 
during disasters or other unexpected disruptions in service. Additionally, DS4P standards were 
adopted in ONC’s 2015 Edition final rule (80 FR 62702, Oct. 16, 2015) as part of the 2015 
Edition Health IT Certification Criteria (2015 Edition). See 45 CFR 170.315(b)(7) and (8). 
SAMHSA has also supported the development of the application branded Consent2Share, an 
open-source health IT solution based on DS4P, which assists in consent management and data 
segmentation and is currently being used by the Prince Georges County (Maryland) Health 
Department to manage patient consent directives while sharing substance use disorder 
information with an HIE. SAMHSA is currently updating Consent2Share, slated for release in 
late 2016, with the aim that its streamlined data stack and improved functionality will lower 
barriers to implementation in the field. SAMHSA is considering issuing subregulatory guidance 
in the future to address other technical solutions to complying with the regulation. 

Regarding the comment that it is not feasible to do individual exclusionary consents in an 
HIE, the HIE does not have to give the patient the option to do individual level consent. 
SAMHSA has provided more flexibility in the consent provisions in an effort to ensure that 
patients with substance use disorders have the ability to participate in and benefit from new 
integrated health care models while, at the same time, maintaining core confidentiality 


protections. 


d. Requests for Exemptions and Exceptions 
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Public Comments: 





Several commenters requested various exemptions or exceptions from the part 2 consent 
requirements, including a public health exception similar to that of the HIPAA Privacy Rule (see 
http://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html), an 
exemption for CCOs who have a treating relationship with a patient, an exemption for ACOs 
who have integrated delivery systems, an exception for state health data organizations that 
collect data under legislative authority and collection of substance use disorder data by state 
agencies, and in instances where part 2 data may be used to improve patient care coordination, 
ensure interoperability, and ensure patient safety. One commenter requested an exception for 
care coordination purposes for valid and vital clinical reasons. 

Regarding § 2.20 (Relationship to state laws), a commenter said SAMHSA should 
include an exception under part 2, subpart D (Disclosures Without Patient Consent) allowing 
disclosures of substance use disorder treatment information based on state laws that authorize or 
compel such disclosures (e.g., for public health or medical assistance reasons). Another 
commenter, noting the role of multi-payer claims databases or MPCDs (also known as all payer 
claims databases (APCDs)), suggested that SAMHSA add a new section to include state health 
data organizations that collect data under a legislative authority, reasoning that these states have 
decades of experience in collecting and managing sensitive data with strict legal and policy 
controls. 

A commenter said SAMHSA should permit oral consent with documentation and specific 
information to be shared. 


SAMHSA Response: 
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SAMHSA appreciates the perspectives expressed by those who seek additional 
exceptions or exemptions from part 2 consent requirements, as well as the suggestion that 
SAMHSA permit oral consents that are documented in writing. 

The part 2 underlying statute, 42 U.S.C. 290dd-2, and this rule require a written patient 
consent to disclose part 2 information unless the disclosure is otherwise permitted under the part 
2 statute or regulations. The statute, for instance, does not provide a general exception to the 
consent requirement for the purpose of sharing information with public health officials. In certain 
circumstances, disclosures of part 2 information may be authorized by court order to protect 
against an existing threat to life or of serious bodily injury (see § 2.63, Confidential 
communications) or to the extent necessary to meet a bona fide medical emergency in which the 
patient's prior informed consent cannot be obtained (see § 2.51, Medical emergencies). 
SAMHSA may in the future consider issuing subregulatory guidance to further describe medical 
emergencies under § 2.51 and how such emergencies may relate to public health emergencies 
declared at the federal, state, local, and/or tribal levels. SAMHSA does not, however, have the 
statutory authority to authorize routine disclosure of part 2 information for public health 
reporting, surveillance, investigation or intervention purposes. 

With respect to § 2.20 (Relationship to state laws), in the proposed and final rules 
SAMHSA maintains current language regarding preemption. As discussed above, SAMHSA 
cannot develop a new general exception for public health or medical assistance purposes in light 
of the statute. Likewise, SAMHSA cannot develop a specific new exception for APCDs 
(hereinafter referred to as MPCDs). The role of MPCDs is discussed in the section of this 
preamble concerning research (§ 2.52). SAMHSA disagrees with the recommendations to 


consider a specific exemption to the consent requirements for ACOs that have integrated 
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delivery systems, except as described in § 2.53 for the purposes of audits and evaluations. 
Similarly, SAMHSA is not accepting the suggestion to provide a specific exemption from the 
part 2 consent requirements for CCOs that have a treating provider relationship with a patient 
(i.e., that meet the definition of having a treating provider relationship with the patient whose 
information is being disclosed). SAMHSA believes that the final changes to the consent 
requirements will facilitate care coordination and information exchange. Improving the quality of 
substance use disorder care depends on effective collaboration of mental health, substance use 
disorder, general health care, and other service providers in coordinating patient care. However, 
the composition of a health care team varies widely among entities. Because SAMHSA wants to 
ensure that patient identifying information is only disclosed to those individuals and entities on 
the health care team with a need to know this sensitive information, we are limiting a general 
designation in the “To Whom” section of the consent requirements to those individuals or 
entities with a treating provider relationship. Patients may further designate their treating 
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providers as “past,” “current,” and/or “future” treating providers. In addition, the consent form 
can include multiple authorizations in the “To Whom” section. A consent may allow a patient to 
designate, by name, one or more individuals with whom they do not have a treating provider 
relationship, that they authorize to receive or access their health care data. 

While we are not establishing specific additional exemptions or exclusions from the 
consent requirements at this time in response to commenters’ suggestions, in light of the 
longstanding role that contractors and subcontractors play in the health care system and their 
handling of part 2 data, we are issuing an SNPRM related to lawful holders’ use of contractors 


and subcontractors. 


e. Commenter Recommendations 
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Public Comments: 





Some commenters said SAMHSA should expand the list of persons who could view the 
patient’s medical record without the patient’s written consent to include clergy, social workers, 
psychologists and family members if in their professional opinion they were necessary for the 
patient’s recovery and progress. Another commenter recommended expanding the list to include 
all types of professionals involved in the treatment of individuals receiving substance use 
treatment into the respective definitions, including those employed in social services that are 
members of the treatment team. 


SAMHSA Response: 





The definition of “treating provider relationship” is sufficiently broad to cover the 
necessary components of a patient’s care team. The statute, 42 U.S.C. 290dd-2, does not provide 
an exception to the consent requirement for the purpose of sharing information with family 
members. Part 2, therefore, requires a part 2-compliant consent to disclose patient identifying 
information unless disclosure is otherwise permitted under the statute or regulations. 


Public Comments: 





Many commenters said SAMHSA should provide a sample consent form. Some 
commenters stated that any sample consent form should not be mandated to allow stakeholders 
flexibility. 


SAMHSA Response: 





SAMHSA may, after publication of this rule, issue subregulatory guidance that includes a 
sample consent form that meets the specifications of the final rule. SAMHSA has never and has 
no intention of mandating the use of a specific consent form. 


Public Comments: 
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Several commenters generally supported the use of electronic signatures. Several 
commenters only supported electronic signatures when also authorized under state law. A 
couple of commenters requested guidance on what steps the provider would need to take to 
verify identity, provide the required prefatory information and to obtain a substance use disorder 
patient’s electronic signature. A commenter requested guidance from SAMHSA on the areas 
modified by SAMHSA. A commenter said SAMHSA should identify the signatory and 
enforceability consideration of electronic consent through reference to other laws. 


SAMHSA Response: 





Because there is no single federal law on electronic signatures and there may be variation 
in state laws, SAMHSA recommends that stakeholders consult their attorneys to ensure they are 
in compliance with all applicable laws. 


Public Comments: 





Some commenters made recommendations for patient privacy protection. One 
commenter noted that the use of secure, certified health IT, networks, and devices, especially for 
the transmission of patient records, does not appear to be included in the proposed provisions. 
Another commenter said meaningful consents could only be achieved by adding statements that 
inform the patient of the unprecedented risks of making highly sensitive substance use disorder 
information accessible throughout integrated health care systems or electronic health information 
systems that cannot be made secure. 

A commenter stated the proposed rule did not address revocation or refusal of consent. 
Similarly, another commenter recommended adding language that makes clear that revocation of 
consent prevents unauthorized access but does not remove the information from the electronic 


record. 
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SAMHSA Response: 





Section 2.16 addresses security for records and requires formal policies and procedures to 
reasonably protect against unauthorized use and disclosures of patient identifying information 
and to protect against reasonably anticipated threats or hazards to the security of patient 
identifying information. Whereas this provision does not specifically address the use of certified 
health IT networks, and devices, they may be used as long as the requirements of section 2.16 are 
met. Regarding revocation of consent, § 2.31(a)(6) requires: “A statement that the consent is 
subject to revocation at any time except to the extent that the part 2 program or other lawful 
holder of patient identifying information that is permitted to make the disclosure has already 
acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance 
on a valid consent to disclose information to a third-party payer.” To the extent an individual 
refuses to consent to the disclosure of their patient identifying information, part 2 prohibits such 
disclosure unless otherwise permitted under the statute or regulations (e.g., audit or evaluation, 
or scientific research). 

2. To Whom 

SAMHSA is adopting this aspect of the proposal. SAMHSA has moved the former 
§ 2.31(a)(2), “To Whom” provision, to § 2.31(a)(4). The following table provides an overview of 
the options permitted when completing the designation in the “To Whom” section of the consent 
form. 

Table 1 — Designating Individuals and Organizations in the “To Whom” Section of the 


Consent Form 
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Individual provider 
Aa CER. || OF CMH || -Felatonshap., Oe Required additional 
2.31 whom with patient || Primary designation designation 
: disclosure is whose 
to be made || information is 
being disclosed 
. fog Name of individual(s) 
(a)(4)(i) Individual Yes (66: Jane Doe: MD) None. 
; aa Name of individual(s) 
(a)(4)(i) Individual No (e.g., John Doe) None. 
Name of entity (e.g., 
(a)(4)(ii) Entity Yes Lakeview County None. 
Hospital) 
Name of entity that is 
a third-party payer as 
(a)(4)(iii)(A)||Entity No specified under None. 
§ 2.31(a)(4)(ii)(A) 
(e.g., Medicare) 
At least one of the 
following: 
1. The name(s) of an 
individual participant(s) 
(e.g. Jane Doe, MD, or 
Name of entity that is |John Doe). 
not covered by : 
(a)(4)(iii)(B)||Entity No S951): Ie ay 

















(e.g., HIE, or research 
institution) 








participant(s) with a 
treating provider 
relationship with the 
patient whose information 
is being disclosed (e.g., 
Lakeview County 
Hospital). 


3. A general designation of 
an individual or entity 
participant(s) or a class of 
participants limited to 
those participants who 
have a treating provider 
relationship with the 
patient whose information 
is being disclosed (e.g., 








my current and future 
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treating providers). 











If a general designation is used, the entity must have a mechanism in place to determine 
whether a treating provider relationship exists with the patient whose information is being 
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disclosed. Patients may further designate their treating providers as “past,” “current,” and/or 
“future” treating providers. In addition, a patient may designate, by name, one or more 
individuals on their health care team with whom they do not have a treating provider 
relationship. 

a. General 
Public Comments: 

Several commenters generally agreed with the proposed “To whom” section of the 
consent requirements, stating that it allows patients to disclose substance use disorder 
information to past, current, or future treating providers; would improve information and data 
sharing for health care, especially for entities that are continually adding new members; allow 
patients to remain in control of their substance use disorder information and understand who had 
access to their data. One commenter supported the express permission to designate the name of 
the entity for third-party payers that require patient identifying information for purposes of 
reimbursement of services rendered to the patient. 

Many commenters offered general support for the proposed rule’s general designation. 
Some commenters stated that the general designation creates a balance between patient privacy 
and operational functions, facilitates internal communication within an integrated delivery 
system, streamlines the consent process, reduces administration burdens, creates new flexibility, 
may help facilitate increased behavioral health participation in some HIEs around the country, 


and would help improve the quality and continuity of care within integrated delivery models. A 
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commenter supported the expansion of the use of a general designation when there is a treating 
provider relationship, but said it is unworkable to require an updated consent form every time 
new entities are added to the “umbrella” consent. 

Some commenters generally disagreed with the proposed “To Whom” provision of the 
consent requirements. Several commenters argued that the proposal was burdensome, would 
create additional complexity, would reduce information sharing, and would not improve patient 
privacy protections or facilitate informed consent. Commenters stated it is unnecessary and 
impractical to require the consent form to name every HIE and other intermediaries that may 
assist in transmitting or providing access to the patient’s information. A couple of commenters 
stated the proposed rule would restrict the ability of patients to specifically name an entity or to 
authorize part 2 programs to send their information to entities that do not have a treatment 
relationship [treating provider relationship]. Another commenter said the regulatory preface 
mentions a number of very specific drivers of this purported need for broader sharing (such as 
HIEs), but the regulatory language itself contains no such limitation and offers HIE only as an 
illustrative example. 

Many commenters specifically did not support the general designation in the “To Whom” 
section. Some commenters claimed that the proposal presumes each person entering a treatment 
process has the ability to understand the longer-term consequences, or that substance use 
disorder patients, who are under tremendous stress, would simply choose the general designation 
because it was easiest. A commenter said the general designation does not guarantee that a HIE 
or other organizations will send all patient data, which could be a critical source of information 
in the case of an emergency. 


SAMHSA Response: 
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A patient may consent to designate, for example, an HIE (an entity that does not have a 
treating provider relationship with the patient whose information is being disclosed) and “all my 
treating providers” (a general designation of an individual or entity participant(s) or a class of 
individual or entity participants that must be limited to a participant(s) who has a treating 
provider relationship with the patient whose information is being disclosed). Using the same 
concept, an ACO, pursuant to a general designation, may disclose information described in the 
“Amount and Kind” section of a consent form (explained further in 3. Amount and Kind) to “all 
my entity treating providers.” If a general designation is used, the entity must have a mechanism 
in place to determine whether a treating provider relationship exists with the patient whose 
information is being disclosed (e.g., an attestation). In the HIE and ACO examples above, the 
entity that does not have a treating provider relationship with the patient whose information is 
being disclosed and serves as the intermediary may not further disclose the patient identifying 
information except to those providers who have a treating provider relationship with the patient 
whose information is being disclosed that can be verified by the intermediary. The prohibition 
on re-disclosure notice must be provided with the disclosure because it also applies to the 
treating provider(s) who receive the information from the entity that serves as an intermediary. 
In addition, a copy of the part 2-compliant consent form or the pertinent information on the 
consent form necessary for the treating provider(s) to comply with the signed consent should be 
provided with the disclosure. 

The patient retains the ability to name only specific individuals or entities to whom their 
records will be disclosed. Patients have the option to use a general designation to designate 
entities with which they have a treating provider relationship, but are not required to do so. 


Although SAMHSA received comments suggesting that the proposed rule makes it more 
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difficult to disclose necessary information to an organization that does not have a treating 
provider relationship with the patient whose information is being disclosed other than a 3rd party 
payer, the commenters did not provide examples of such entities. The final rule permits the “To 
Whom.” section of the consent form to designate disclosure of information to an entity that does 
not have a treating provider relationship with the patient whose information is being disclosed, as 
long as the consent also includes one of three options specified in § 2.31(a)(4)(ii)(B), for 
example, include the name(s) of an individual participant(s). 

If the patient designates all my current treating providers, and another of the patient’s 
treating providers becomes a participant in the entity that does not have a treating provider 
relationship with the patient and serves as the intermediary, a new consent form would not be 
required. For example, if a patient designates an HIE (an entity that does not have a treating 
provider relationship with the patient whose information is being disclosed and serves as an 
intermediary) and “my current treating providers,” and subsequently another of the patient’s 
treating providers becomes a participant in the HIE, a new consent form would not be required. 
In addition, more than one HIE or other intermediary may be listed on the consent form. With 
respect to burden, SAMHSA acknowledges that there may be burdens associated with the 
revised consent requirements. SAMHSA made these changes based on comments from 
stakeholders in the field and SAMHSA strongly believes that the changes to “To Whom” will 
increase flexibility for patients and providers. 


b. Determination of Treating Provider Relationship 





Public Comments: 





A commenter agreed with SAMHSA’s suggestion that entities must have an established 


mechanism for determining whether a treating provider relationship exists. However, several 
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commenters stated that determining who has a treating provider relationship would be difficult. 
Commenters expressed concern that entities do not currently have mechanisms in place to 
determine whether a treating provider relationship exists with the patient whose information is 
being disclosed. Another commenter asked how an HIE would be able to determine which 
participants have a past/present/future treating provider relationship with the patient. A 
commenter stated that creating this mechanism would require additional resources and would 
discourage entities from sharing necessary data. Another commenter recommended a provision 
that exempts the provider from liability when relying in good faith on an attestation or 
representation from an outside treating provider. 

Several commenters expressed concern that once a consent reflecting a general 
designation of recipients with a treating provider relationship has been executed and relied upon 
by the part 2 program, there is no method by which the program can ensure that the recipients are 
properly authenticated by the HIE or research institution. Commenters suggested the proposed 
rule should specify that the HIE, ACOs, CCOs or research institution, as well as the recipient 
that has a treating provider relationship with the patient, be responsible for ensuring that the 
recipient is actually a treating provider and that the disclosure is appropriate under part 2. 

A commenter requested clarification on whether care managers would be included as 
having a “treating provider relationship.” Another commenter requested clarification as to 
whether care coordinating entities that have a treating provider relationship may assign 
additional designees under the general designation (e.g., treatment providers with different levels 
of care or recovery services). 

Commenters recommended the language in the “To Whom” clause state “my treating 


providers” or “my service providers.” A commenter recommended “my substance use disorder 
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providers” or “my treating providers except Dr. John Doe.” Another commenter recommended 
“my treating providers and transferring HIEs” 


SAMHSA Response: 





Although SAMHSA understands the concerns about further clarifying when an entity is 
considered a treating provider, it respectfully declines to provide more specificity in the final rule 
than was included in the NPRM. The arrangements between treating providers and other entities 
evolve too rapidly to be comprehensively addressed in regulations. Although, SAMHSA has not 
revised the proposed text, SAMHSA may provide additional subregulatory guidance in the future 
if further clarification is needed. In addition, only individuals and entities that meet the 
definition of having a treating provider relationship with a patient are considered treating 
providers. The determination is fact-specific. Consistent with the NPRM, SAMHSA continues 
to encourage innovative solutions to implement this provision. For example, an HIE could have 
a policy in place requiring their participant providers to attest to have a treating provider 
relationship with a patient, or provide a patient portal where patients designate their treating 
providers. 


c. Requests for Clarification 





Public Comments: 





Some commenters requested clarification regarding the patient’s role in consent, 
including the patient’s ability to alter their consent, how patients can authorize disclosures to 
non-health entities other than third-party payers, and what the impact would be if a patient failed 
to designate past, present, and future disclosures. One commenter stated that, if a patient 


designates an entity without a treating provider relationship and “my treating providers” without 
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further specifying “past, present, or future,” it should be assumed that the intent is to designate 
“current” treating providers. 


SAMHSA Response: 





Patients may designate on the consent form a specific individual(s) with whom they 
either have or do not have a treating provider relationship and/or a specific entity(-ies) with 
whom they have a treating provider relationship. Consents for disclosures to entities that do not 
have a treating provider relationship (other than third-party payers) require at least one of the 
following: (1) The name(s) of an individual participant(s); (2) the name(s) of an entity 
participant(s) that has a treating provider relationship with the patient whose information is being 
disclosed; or (3) a general designation of an individual or entity participant(s) or a class of 
participants that must be limited to a participant(s) who has a treating provider relationship with 
the patient whose information is being disclosed. 

If a patient uses a general designation and lists “my treating providers” without further 
specifying “past, current, or future,” it should be presumed that the intent is to designate 
“current” treating providers. Finally, a patient can revoke a consent at any time, except to the 
extent that the part 2 program or other lawful holder of patient identifying information that is 
permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes 
the provision of treatment services in reliance on a valid consent to disclose information to a 
third-party payer. 


Public Comments: 





Other commenters requested clarification regarding entity roles, including whether a 
CCO can request a single consent for multiple purposes (e.g., care coordination, treatment, and 


payment); whether providers need to maintain the variety of forms to meet the requirements of 
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§ 2.31(a)(4); what limitations (if any) would be placed on HIE entities or research institutions 
using substance use disorder information received via the new consent process, specifically 
whether the disclosure would not be limited to treatment purposes; and whether an HIE-to-HIE 
disclosure is permissible and, if so, for what purposes. A few commenters asked whether it 
would be permissible to list multiple HIEs on a consent form. Similarly, another commenter 
recommended SAMHSA adopt a broad definition of an HIE to allow a “network of networks,” 
such as the statewide health information network to be considered an HIE. A commenter 
requested clarification as to whether 42 CFR part 2 information can flow through other HIEs not 
designated on the consent form to transfer the information to the recipient. 

A few commenters requested clarification on how the proposed changes would impact 
multi-party consent forms that allow disclosure “among and between” all the parties listed on the 
form. Similarly, a commenter requested clarification regarding the “To Whom” and “From 
Whom?” definitions and how they would apply between two providers to whom a patient has 
independently given consent to receive information, urging that the definitions be general and 
consistent so that they allow for bi-directional flow of information. 

A commenter said SAMHSA should clarify that the provision of general consent to 
disclosure of substance use disorder treatment also applies to disclosure of information between 
those responsible for treatment in the community and those responsible for treatment in 
correctional settings. 


SAMHSA Response: 





Under the changes to the consent requirements, an entity that does not have a treating 
provider relationship with the patient may further disclose, with a part 2-compliant consent, to a 


named individual who does not have a treating provider relationship with the patient. 
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Section 2.31(a)(4) of the consent requirements may be completed with one or more 
recipients. Section 2.31(a)(5) of the consent requirements requires that the consent form include 
the purpose of the disclosure. Part 2 allows the use of a single consent form authorizing the 
disclosure of part 2 patient information to different recipients for different purposes. However, 
part 2 also requires a consent form to specify the amount and kind of information that can be 
disclosed, including an explicit description of the substance use disorder information that may be 
disclosed, to each of the recipients named in the consent. The amount of information to be 
disclosed “must be limited to that information which is necessary to carry out the purpose of the 
disclosure (see §2.13(a)). This will vary depending on the different purposes for which different 
recipients are being allowed to access or receive the information. Thus the consent form would 
have to be structured to make it clear what information may be given to each of the recipients, 
and for which purposes. 

Disclosure of patient identifying information made with the patient's written consent must 
be accompanied by a written notice regarding the prohibition on re-disclosure (see § 2.32). This 
notice informs them that 42 CFR part 2 prohibits the recipients of the patient identifying 
information from re-disclosing it to any individual or organization not specified in the consent 
form unless otherwise permitted under the part 2 statute or regulations. 

The rule includes an additional patient safeguard, in which patients who have included a 
general designation in the “To Whom” section of their consent form (see § 2.31) must be 
provided, upon request, a list of entities to which their information has been disclosed pursuant 
to the general designation. 

With respect to multi-party consent, SAMHSA is not finalizing the “From Whom” 


provision (2.31(a)(2)) as proposed for the reasons discussed in 4. “From Whom.” Therefore, 
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consents may authorize disclosures “among and between” the parties designated in the “To 


Whom” and “From Whom” sections of the consent form. 


Public Comments: 





Some commenters requested clarification regarding aspects of the “To Whom” provision, 
such as what would happen if a person does not want to give a general designation; how the 
process of designating past, present, and future treating providers would work in practice; 
whether a Performing Provider System (PPS) could be assigned in the “To Whom” section of the 
consent form; and whether a health care organization would be an appropriate entity to be named 
for disclosure. 

With regard to third-party payers, a commenter asked whether a general designation for 
third-party payers could be used for other purposes, such as care coordination, population health, 
or other services that may fall under the definition of health care operations within the meaning 
of HIPAA. Some commenters recommended that third-party payers should not have to be listed 


in the “To Whom” section of the consent form. 





SAMHSA Response: 

With regard to third-party payers, the regulations require written consent for disclosure of 
patient identifying information to third-party payers. The statute does not provide an exception to 
this consent requirement. However, with respect to patients who have both a substance use 
disorder and a mental illness, § 2.15 of the regulations states that, in the case of a patient, other 
than a minor or one who has been adjudicated incompetent, that for any period suffers from a 
medical condition that prevents knowing or effective action on their own behalf, the part 2 


program director may exercise the right of the patient to consent to a disclosure under subpart C 


121 


of this part for the sole purpose of obtaining payment for services from a third-party payer. In 
addition, in the case of minor patients, § 2.14 of the regulations states the regulations do not 
prohibit a part 2 program from refusing to provide treatment until the minor patient consents to 
the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be 
prohibited under a state or local law requiring the program to furnish the service irrespective of 
ability to pay. 

If an individual does not want to use a general designation, they have several other 
options, which are enumerated in § 2.31(a)(4) of this final rule. 

If a patient does not designate “current, past, and/or future” treating provider(s), the 
presumption is that the patient means “current treating provider(s).” SAMHSA may, after 
publication of this final rule, also provide further clarification on this process of designating past, 
present, and future treating providers in subregulatory guidance. 

Whether a PPS or a health care organization may be listed in the “To Whom” section of 
the consent form depends upon whether they have a treating provider relationship with the 
patient whose information is being disclosed. If an entity does have a treating provider 
relationship with the patient, the entity name may be listed on the consent (see § 2.31(a)(4)(4i)). 
However, if the entity does not have a treating provider relationship with the patient whose 
information is being disclosed, and is not a third-party payer , the entity name may be listed on 
the consent form as long as one or more of the following is also listed: (1) The name(s) of an 
individual participant(s); (2) the name(s) of an entity participant(s) that has a treating provider 
relationship with the patient whose information is being disclosed; or (3) a general designation of 


an individual or entity participant(s) or a class of participants that must be limited to those 
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participants who have a treating provider relationship with the patient whose information is 
being disclosed. 

SAMHSA plans to address issues concerning third-party payer use and disclosure of part 
2 information in greater detail in an SNPRM. 


d. Commenter Recommendations 





Public Comments: 





Commenters recommended more flexibility in the “To Whom” section. Commenters 
recommended that SAMHSA expand the general designation to include all of the various 
participants in the modern health care system and their respective activities: providers, care 
managers, health plans and ACOs, MCO services, CCOs, and similar integrated health care 
networks. One commenter said the general designation should include those who do not have a 
treating provider relationship with the patient but who/which require access to the patient's 
information solely in relation to fulfilling a specific function for the benefit of the individual or 
entity that has the treating provider relationship with specific patients. Another commenter 
requested that SAMHSA allow patients to generally consent to disclose information to any 
company assisting in processing their insurance claims. Another commenter suggested that 
patients be able to name as many treating providers as they wish under the general designation. 
One commenter said patients should be permitted to provide a generalized consent for all of their 
previous providers to disclose information. One commenter said generic consent (1.e., disclosure 
through an HIE) is all that should be required because SAMHSA has previously provided 
guidance that HIEs may have access to part 2 information under a QSO agreement without 
patient consent. A commenter said the rule should allow for the general designation of certain 


types of non-treating providers, rather than require a listing of the name of each entity. 
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In contrast, other commenters suggested increased limitations on the “To Whom” 
designation. A commenter proposed excluding health information networks and health 
information organizations (HIOs) from being specifically identified on patient consent form 
because they are not true recipients of patient health information and simply facilitate electronic 
exchange of information. One commenter recommended that SAMHSA preserve the patient’s 
right of consent to disclosures only to specifically identified practitioners involved in their 
mental health treatment. 

Regarding third-party payers, several commenters recommended allowing third-party 
payers to act as intermediaries for purposes of sharing substance use disorder information, 
allowing them to share information with all of the patient’s treating providers. Another 
commenter requested general designation for third-party payers. To accommodate the 
operational realities of Medicaid, a commenter stressed that the rule should explicitly provide 
that consent to disclose covered data to Medicaid constitutes consent to release such data to 
Medicaid or to the payer’s contracted entity (e.g. the MCO) to apply to both entities as a third- 
party payer. Similarly, another commenter recommended that the rule consider a designation to 
the name of the state agency, the MCO, or simply Medicaid as consent that applies to the state 
and its contracted delivery system, reasoning that not all Medicaid beneficiaries understand their 
health care system. 


SAMHSA Response: 





SAMHSA acknowledges the commenters’ concerns related to the recommendations 
above. SAMHSA has concluded that the proposed changes to the consent requirements would 
facilitate care coordination and information exchange. Improving the quality of substance use 


disorder care depends on effective collaboration of mental health, substance use disorder, general 


124 


health care, and other service providers in coordinating patient care. However, the composition 
of a health care team varies widely among entities. Because SAMHSA wants to ensure that 
patient identifying information is only disclosed to those individuals and entities on the health 
care team with a need to know this sensitive information, we are limiting a general designation to 
those individuals or entities with a treating provider relationship. Patients may further designate 


99 66 


their treating providers as “past,” “current,” and/or “future” treating providers. In addition, a 
patient may designate, by name, one or more individuals on their health care team with whom 
they do not have a treating provider relationship. SAMHSA clarifies that a QSO can be used to 
share part 2 information with the HIE when the HIE is a service provider to the part 2 program, 
but the QSO cannot be used to share information with the members of an HIE without patient 
consent. 

As for third-party payers and others, SAMHSA must balance the need for and benefits of 
care coordination with the need for consent and the requirements of the part 2 governing statute. 
SAMHSA declines to adopt commenter recommendations to allow third-party payers to serve as 
intermediaries that could share information with all the patient’s treating providers because we 
conclude that the “To Whom” consent requirements are sufficiently broad to cover the necessary 
components of a patient’s care team. For purposes of payment-related activities, to the extent that 
federal or state law authorizes or requires that the Medicaid or Medicare agency or program 
share data or enter into a contractual arrangement or other formal agreements to do so, consent to 
disclose patient identifying information to the agencies or programs (as a third-party 
payer) under section 2.31(a)(4)(11i)(A) is considered to extend to the contractors and 


subcontractors of the agencies or programs. 


125 


Commenters have provided SAMHSA with informative feedback on how lawful holders, 
including third-party payers and others within the healthcare industry, use health data or hire 
others to use health data on their behalf to provide operational services such as independent 
auditing, legal services, claims processing, plan pricing and other functions that are key to the 
day-to-day operation of entities subject to this rule. Those comments indicate that there may be 
varying interpretations of the part 2 rule’s restrictions on lawful holders and their contractors’ 
and subcontractors’ use and disclosure of part 2-covered data for purposes of carrying out 
payment, health care operations, and other health care related activities. In consideration of this 
feedback and given the critical role third-party payers, other lawful holders, and their contractors 
and subcontractors play in the provision of health care services, SAMHSA is issuing an SNPRM 
to seek further comments and information on this matter before establishing any appropriate 
restrictions. 


Public Comments: 





Instead of listing organizations in the “To Whom” section, a commenter recommended 
that a consent form should specify the reasons for disclosure (e.g. care coordination, 
management of benefits). 


SAMHSA Response: 





In addition to the “To Whom” section, the consent form is required to include how much 
and want kind of information is to be disclosed, including an explicit description of the substance 
use disorder information that may be disclosed. In addition, the consent form must include the 
purpose of the disclosure. All the required elements must be included on the consent form. 
SAMHSA declines to make the suggested change to allow the “Purpose” of the consent to 


dictate the recipients of the patient identifying information. The intent of SAMHSA’s approach 
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to the “To Whom” section of the consent form is to provide the patient options for the degree to 
which they will be able to identify, at the point of consent, who they are authorizing to receive 
their information. 


Public Comments: 





A commenter stated that SAMHSA should explicitly recognize and include health plan 
care services, such as managed care, care coordination, case management and other integrated 
care activities as part of the required elements for written consent for entities that do not have a 
treating provider relationship with the patient under proposed § 2.31(a)(4)(iv). 

A commenter stated any privacy concerns could be fixed by requiring (1) a general 
designation of a class of participants with a treating provider relationship; and (2) that the 
disclosing organization provide patients, upon request, a list entities to which their information 
has been disclosed. 

A commenter proposed that § 2.31(a)(4) be revised to allow a general designation to be 
used whenever there is a “treating provider relationship” or a “care management relationship.” 
The commenter stated the “care management relationship” should be defined to include the 
concepts of assistance in obtaining appropriate care, care coordination, and assistance in the 
implementation of a plan of medical care. 

A couple of commenters suggested SAMHSA revise proposed § 2.31(a)(4)(iv)(C) to 
read: “... to a participant(s) who has a treating provider relationship with the patient at the time 
the disclosure is made.” (Note, the relevant text is now found at § 2.31(a)(4)(iii)(B)(3) due to 
renumbering of the final regulation.) The commenters stated this would make it clear that 
participants who develop a treatment relationship with the patient after the date the consent can 


gain access. 
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Commenters recommended that the general authorization mirror the authorization under 
HIPAA to ease the transition and reduce compliance issues. 

A commenter recommended SAMHSA work with other federal entities that are exploring 
parity enforcement to ensure that the proposed rule changes would not create barriers for states 
working on enforcement of the parity law. 

If a patient notes their information may be shared with current and future health care 
providers, one commenter said the specific name of the ACO or other provider should not be 
required. 


SAMHSA Response: 





SAMHSA declines to explicitly recognize and include health plan care services, such as 
managed care, care coordination, case management and other integrated care activities as part of 
the required elements for written consent for entities that do not have a treating provider 
relationship with the patient under proposed § 2.31(a)(4)(iv), or broaden the “treating provider 
relationship to also include a “care management relationship.” The definition of “Treating 
provider relationship” is sufficiently broad to cover the necessary components of a patient’s care 
team. 

A commenter stated any privacy concerns could be fixed by requiring (1) a general 
designation of a class of participants with a treating provider relationship; and (2) that the 
disclosing organization provide patients, upon request, a list of entities to which their 
information has been disclosed. Another commenter wanted to delete the requirement of naming 
the entity without a treating provider relationship with the patient whose information is being 
disclosed. SAMHSA is retaining the consent requirements discussed in this section of the 


preamble because we believe it balances increased flexibility with necessary privacy protections. 
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SAMHSA declines to mirror the authorization under HIPAA to ease the transition and 
reduce compliance issues, as a commenter suggested, because, due to its targeted population, 
part 2 provides more stringent federal protections than most other health privacy laws, including 
HIPAA. 

SAMHSA may, after publication of this final rule, provide further subregulatory 
guidance on specific concerns, such as states working on enforcement of the parity law. 


Public Comments: 





Several commenters recommended splitting proposed § 2.31(a)(4)(iv) into two sections. 
The first would contain special provisions governing disclosures made through HIEs and would 
retain the references to “individual participants” and “entity participants.” The second would 
cover all entities that do not fall into any of the other categories in proposed paragraph (a)(4)(1v); 
in these cases, the specific entity to which disclosure is made would have to be specified. 


SAMHSA Response: 





SAMHSA proposed § 2.31(a)(4)(iv) to apply to an entity (1) that does not have a treating 
provider relationship with the patient whose information is being disclosed, and (2) is not a third- 
party payer. Therefore, SAMHSA declines to make the recommended changes. We note, 
however, that due to re-numbering the proposed § 2.31(a)(4)(iv) provision is found in the final 


regulation at § 2.31(a)(4)(iii)(B). 


Public Comments: 





A commenter recommended that the use of multi-party consents be permissible even 
when the “To Whom” section contains a general designation, and that the party(ies) named in the 


“To Whom” section be permitted to re-disclose patient information if the patient has consented 
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to such re-disclosures in order to allow patients’ treating providers to communicate with each 
other (pursuant to patient consent) within networks like HIE and integrated care organizations. 
Another commenter stated that the general designation is a step in the right direction but the 
proposed rule would add a burdensome accounting, which is not required for disclosures 
pursuant to a valid authorization under HIPAA. 


SAMHSA Response: 





On the issue of multi-party consent, a multi-party consent can be achieved by allowing 
for bi-directional communication using the general designation in both the “To Whom” and 
“From Whom” sections of the consent. It can also be created by naming multiple individuals 
with or without a treating provider relationship with the patient whose information is being 
disclosed or entities with a treating provider relationship with the patient whose information is 
being disclosed in the “To Whom” and “From Whom” sections of the consent. The key is to 
make sure the consent form authorizes each party to disclose to the other ones the information 
specified and for the purpose specified, in the consent. The “To Whom” and “From Whom” 
sections of the consent provisions of the final rule will permit multi-party consents. 

With respect to the comment regarding the additional burden of the List of Disclosures 
associated with the use of a general designation on the consent form, SAMHSA addressed this 
issue in Section F.3, in the preamble discussion of Confidentiality Restrictions and Safeguards 
($2.3). That discussion emphasizes the fact that there is no timeframe in which part 2 programs 
and lawful holders need to comply with the List of Disclosures systems requirements; the final 
rule only requires that if they choose to disclose information pursuant to a general designation 
on the “To Whom” part of the consent form, they must also be capable of providing a List of 


Disclosures upon request per § 2.13(d). 
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e. Proposed Alternative Approach for “To Whom” Section 





SAMHSA is not finalizing the alternative approach to the “To Whom” consent provision. 
In the NPRM, SAMHSA proposed an alternative approach for the “To Whom” aspect of a 
consent form that attempted to reflect the same policy goal as the proposed regulation text while 
attempting to simplify the language that would appear on the consent form. This alternative 
approach would not change the existing language in the “To Whom” section of the consent form. 
Under this alternative approach, SAMHSA proposed to add a definition of “organization” to 
§ 2.11. Organization would mean, for purposes of § 2.31, (a) an organization that is a treating 
provider of the patient whose information is being disclosed; or (b) an organization that is a 
third-party payer that requires patient identifying information for the purpose of reimbursement 
for services rendered to the patient by a part 2 program; or (c) an organization that is not a 
treating provider of the patient whose information is being disclosed but that serves as an 
intermediary in implementing the patient's consent by providing patient identifying information 
to its members or participants that have a treating provider relationship, as defined in § 2.11, or 
as otherwise specified by the patient. 


Public Comments: 





No commenters expressed support for the proposed rule’s alternative approach to 
required elements as stated. One commenter said the alternative approach would impose fewer 
burdens on patients and part 2 entities but did not agree with the restriction on dissemination to 
only treating entities. Another commenter supported the proposed alternative if it results in only 
the name of the HIE and not its participants being listed on the consent form. 

Several commenters expressed general opposition to the proposed alternative approach. 


One commenter stated that redefining “organization” to make it more expansive would lead to 
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erosion of trust and would have a chilling effect on the communications necessary for effective 
treatment. Another commenter stated that a more expansive definition of “organization” may 
defeat a patient’s intent because a patient would have less notice that their information could be 
disclosed to an entity not specifically named on the consent form. 


SAMHSA Response: 





Based on the comments, SAMHSA has not adopted the alternate approach. Although a 
few commenters supported the adoption of the broad definition of “organization,” none provided 
sufficient information to determine how that definition could be implemented to protect the 
patient’s information from disclosure to parties without a need to know. It is also unclear how 
the List of Disclosures requirement would be applied under a broader definition of 
“organization.” SAMHSA, therefore, has not adopted a definition of “organization.” SAMHSA 
disagrees with the recommendation that disclosure to a wider range of entities should be allowed 
without the patient’s specific consent. 


3. Amount and Kind 





SAMHSA is adopting this aspect of the proposal. SAMHSA has moved the former 
§ 2.31(a)(5), “Amount and Kind” provision, to § 2.31(a)(3) and revised the provision to require 
the consent form to explicitly describe the substance use disorder-related information to be 
disclosed. The designation of the “Amount and Kind” of information to be disclosed must have 
sufficient specificity to allow the disclosing program or other entity to comply with the request. 
a. General 


Public Comments: 





Many commenters provided feedback on the proposed rule’s “Amount and Kind” 


requirements on a patient’s consent form. A few commenters generally supported the provision. 
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However, several commenters generally disagreed with the proposed provision because it would 
either decrease or fail to improve the sharing of patient information; would hamper integrated 
care; would result in consent forms routinely becoming outdated; patients should not decide what 
information is disclosed; and the current (1987) rule language is adequate for protection of 
patient privacy. 

Some commenters said the rule should continue to allow a general description of the type 
of information being disclosed. Other commenters asked SAMHSA to clarify why the revision of 
the regulatory language was necessary and why specific information is preferable to simply 
stating that the consent form covers all the records maintained by the part 2 program. 


SAMHSA Response: 





The designation of the “Amount and Kind” of information to be disclosed must explicitly 
describe the substance use disorder-related information to be disclosed and have sufficient 
specificity to allow the disclosing program or other entity to comply with the request. However, 
the entity creating the consent form may provide options by including free text space, or choices 
based on a generally accepted architecture (e.g. the Consolidated-Clinical Document 
Architecture (C-CDA)), or document (e.g. the Summary of Care Record as defined by CMS for 
the EHR Incentive Programs). It is permissible to include “all my substance use disorder 
information” as long as more granular options are also included. 

Nothing in the rule would prevent the development and use of broad categories of the 
substance use disorder-related information on the Amount and Kind section of the consent form. 
The types of information that might be requested include diagnostic information, medications 
and dosages, lab tests, allergies, substance use history summaries, trauma history summary, 


elements of a medical record such as clinical notes and discharge summary, employment 
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information, living situation and social supports, and claims/encounter data. If options are 
provided, it is also permissible to provide check boxes next to each option. 


b. Impact of the Amount and Kind Requirement on Providers and Patients 





Public Comments: 





Commenters expressed concern that the proposed “Amount and Kind” provision would 
be unduly burdensome for providers, thus obstructing communications. Several commenters 
stated that the proposed rule would require both patients and providers to have an in-depth 
understanding of the precise terms used for substance use disorder information. Some 
commenters thought this would put undue burden on patients. Other commenters argued that the 
“Amount and Kind” requirement would place an additional burden on patients to anticipate 
future care and/or continually update their consent forms. Similarly, commenters stated that 
patients do not know what information is necessary to support their treatment, which could lead 
to important information being omitted. Commenters argued that the “Amount and Kind” 
provision would require requesting health providers to know the format, titling, and 


nomenclature used for substance use disorder information in the part 2 program. 


A commenter argued that many patients would want all of their substance use disorder 
information disclosed if it would improve the quality and coordination of their care. Many 
commenters recommended that patients should be able to sign a consent to sharing their entire 


record (1.e., a global consent), with some arguing that the form should include a statement that 
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covers “all my records,” “all my substance abuse records,” “entire record” and/or “full record.’ 
Other commenters said patients should be able to choose via a check box “substance abuse 


treatment information” or authorize the entire medical record and list what cannot be disclosed. 
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Several commenters stated that an exhaustive list of check boxes on the consent form would be 
confusing for many patients. 

Some commenters said patients should be able to designate an option for overall record 
release with an option for further specification of dates and materials to be released from the 
substance use disorder record. However, another commenter said selections should be “all or 
nothing” to enable providers to exchange information with HIE, ACO, CCO or a similar entity 
according to the patient’s consent directive with other providers. 


SAMHSA Response: 





The patient will be aware that they have substance use disorder information and can make 
a determination whether they want that information disclosed. The 1987 final rule part 2 
regulations require the patient to list “how much and what kind of information is to be disclosed” 
(§ 2.31(a)(5)). SAMHSA has revised the provision to require that the consent form explicitly 
describe the substance use disorder information to be disclosed to ensure patients understand 
they are disclosing the specified substance use disorder information. The amount of specificity 
patients wish to include in the “Amount and Kind” section of the consent form is left to them, as 
long as it has sufficient specificity to allow the disclosing program or other entity to comply with 
the request. As such, this section does not prohibit a patient from listing “all my substance use 
disorder information” or “none of my substance use disorder information.” However, the 
Amount and Kind section of a consent form must accommodate more specific options. As stated 
previously, nothing in the rule would prohibit the inclusion on a consent form of broad categories 
of the substance use disorder-related information that would generally appear in patient records 
to assist patients in identifying the information they wish to disclose. In developing broad 


categories of information to be included on the consent form, part 2 programs and other lawful 
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holders of patient identifying information would need to take into consideration reading level 
standards and the concepts of plain language. The rule does not require further consent when 
new information is added to the substance use disorder record if the new information is covered 
by the “Amount and Kind” section on the consent form. If the “Amount and Kind” section does 
include specificity that the patient doesn’t understand, the party obtaining the consent should 
explain it to the patient. SAMHSA may, after publication of this final rule, issue in subregulatory 
guidance information for educating staff and patients. We are reliant on the provider to be clear 
to patient, which has always been the case. 


c. Required Substance Use Disorder Information on Consent Forms 





Public Comments: 





Some commenters said the level of detail required in the “Amount and Kind” section of 
the consent form was unrealistic, unnecessary, and confusing. A commenter argued that the level 
of detail required by the rule was at odds with the general designations necessary for information 
exchange. A commenter stated that EHR infrastructure may not be able to categorize and 
segregate information as described in proposed § 2.31(a)(3). 

Some commenters urged SAMHSA to simplify or otherwise revise this section of the 
consent form. A commenter recommended that the list could be simplified by including 
standardized fields on the consent form that align with information commonly found on a 
Continuity of Care Document (CCD). Commenters recommended narrowing the list to several 
broad categories (e.g. employment information, living situation, social supports). A commenter 
stated that if more specific categories were needed, the patient could write in their own terms. 
Some commenters said the elements and extent of the consent should be the same under part 2 as 


itis in HIPAA. Other commenters said SAMHSA should use the required elements of a 
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Summary of Care Record as defined by CMS for the EHR Incentive Program as a basis for the 
“kind” and “type” of information able to be disclosed. Another commenter said SAMHSA 
should defer to the expertise of health plans to determine what is necessary for a treating 
provider to know about substance use disorder. 


SAMHSA Response: 





The types of information that might be requested include diagnostic information, 
medications and dosages, lab tests, allergies, substance use history summaries, trauma history 
summary, employment information, living situation and social supports, and claims/encounter 
data. However, the entity creating the consent form may provide options to include free text 
space, or choices based on a generally accepted architecture or document such as the C-CDA, or 
Summary of Care Record, as defined by CMS for the EHR Incentive Program. It is permissible 
to include “all my substance use disorder information” as long as more granular options are also 
included. If options are provided, it is also permissible to provide check boxes next to each 
option. The designation of the “Amount and Kind” of information to be disclosed must have 
sufficient specificity to allow the disclosing program or other entity to comply with the request. 


d. Requests for Clarification 





Public Comments: 





A couple of commenters asked SAMHSA to clarify whether the “Amount and Kind” 
section is to inform the patient or the providers. A commenter requested clarification on whether 
multiple patient consents would be necessary when the contents of a record changes over time. 
Some commenters requested that SAMHSA provide more specific examples of adequate 
descriptions of the type of information being disclosed. Another commenter recommended 


SAMHSA create a sample consent form. 


137 


SAMHSA Response: 





The “amount and kind” section informs both the patient and the providers. It allows 
patients the opportunity to specify whether all of their substance use disorder treatment 
information or only some may be disclosed and sets the limits on what a part 2 program or other 
lawful holders may disclose. The amount and kind section will generally cover classes of 
information so that changes to the record should not trigger the need for re-consents for the same 
classes of information. SAMHSA may provide examples or a sample consent form in 
subregulatory guidance following the publication of the final rule. 


4. From Whom 





SAMHSA is not finalizing the substantive changes that were proposed for the “From 
Whom?” provision in § 2.31(a)(2). In the NPRM, SAMHSA proposed to move the 1987 
§ 2.31(a)(1) “From Whom” language of the consent requirements provision to § 2.31(a)(2). In 
addition, because SAMHSA was also proposing, in certain instances, to permit a general 
designation in the “To Whom” section of the consent form, SAMHSA proposed to require the 
“From Whom” section of the consent form to specifically name the part 2 program(s) or other 
lawful holder(s) of the patient identifying information permitted to make the disclosure. 


Public Comments: 





SAMHSA received comments on the “From Whom” section of the consent form from a 
group of commenters representing a broad spectrum of stakeholder organizations. The 
overwhelming majority of these commenters were opposed to the proposed change and many 
suggested withdrawing the proposal in § 2.31(a)(2) and retaining the 1987 “From Whom” 


language (§ 2.31(a)(1)). 
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Commenters expressed concern that the proposed § 2.31(a)(2) could decrease the sharing 
of health information; would add complexity with little or no benefit to patient privacy; would 
unnecessarily limit the use of a consent; and may accidentally cause the patient to omit a 
provider whom they want or need to see their data; would negatively impact certain HIE models. 
A significant majority of the comments regarding the “From Whom” section of the consent form 
voiced strong opposition to the proposal. A few commenters said the proposed change would 
unnecessarily limit the positive step SAMHSA took in permitting, in certain circumstance, a 
general designation in the “To Whom” section of the consent form. One commenter suggested 
revising the requirements on the basis that the proposed changes do not modernize the 
regulation. 


SAMHSA Response: 





SAMHSA was persuaded by the overwhelming opposition to the proposed “From 
Whom” language and, with the exception of minor technical revisions, will retain in this final 
rule the language in the current (1987) regulation. SAMHSA made this decision for several 
reasons. First, the existing “From Whom” requirements have been in effect for nearly 30 years 
and were based on the Department’s prior determination that, even with a general designation 
option, the provision did not jeopardize patient privacy. The fact that SAMHSA is not aware of 
any reports of the current (1987) “From Whom” requirement resulting in unintended 
consequences further supports this position. 

Second, in the NPRM, SAMHSA supported the elimination of the general designation 
option in the “From Whom” section of the consent form based on concerns that “[t]he patient 
may be unaware of possible permutations of combining the two broad designations (i.e., in the 


“To Whom” and “From Whom” sections) to which they are consenting, especially if these 
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designations include future unnamed treating providers.” Based on the comments received, we 
believe this concern may have been overstated. Commenters generally did not agree that the 
“unintended consequences” the NPRM postulated were likely to occur. Commenters also 
asserted that SAMHSA’s proposal shifted the burden from the receiver to the sender of health 
information and would be burdensome both to providers and patients. In addition, the proposed 
change could undermine new models to streamline consent. 

While the option of using a general designation in either the “To Whom” or the “From 
Whom.” sections (or both) provides the patient greater flexibility, and may result in two broad 
designations, it is still ultimately the patient’s decision whether to use these options or to 
specifically name both the disclosing and receiving parties on the consent form. We agree with 
the remarks of one commenter that the proposed change to the “From Whom” section 
potentially undermines, rather than supports, patient choice, which was not SAMHSA’ intent. 
Another commenter suggested that SAMHSA’s proposed revisions may restrict multi-party 
consents and disclosures, such as consents that authorize disclosures “between and among” the 
parties. These types of consents are an important option for part 2 programs and patients, which 
SAMHSA believes would be eliminated if it were to finalize the proposal articulated in the 
NPRM. Another characterized the proposed change as adding greater complexity to the consent 
process for patients with little or no benefit to patient privacy. 

Third, leaving the 1987 “From Whom” section essentially unchanged may reduce the 
burden on providers and IT vendors to accommodate this final regulation. HIE 
consortiums/associations and state governments were particularly concerned about the impact of 
the proposed revisions on consent-to-access HIE models (sometimes referred to as a community- 


wide consent-to-access model). As several commenters said, the only way for the participant to 
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comply with the NPRM “From Whom” requirement would be for the participant to list the name 
of every part 2 program in the relevant state in the “From Whom” section of the consent form in 
order to inform the patient that there is a possibility that one of these programs might be the 
source of the information being accessed. Not only would this require the listing of hundreds of 
providers on the face of a consent form—effectively transforming the document into a provider 
directory—but it would also require the listing of part 2 programs that are not participating in the 
HIE, which would be misleading and likely draw objections from these programs. 

Moreover, the identities of part 2 programs that may be sources of information are 
constantly changing as new programs are licensed or join the HIE. This would mean that every 
time a participant sought to access a patient’s information in an HIE, it would have to provide the 
patient with a consent form listing all of these new providers, and the participant would 
constantly need to print new forms with updated lists of part 2 programs in the state. This would 
even apply in the vast majority of cases where no part 2 information would be exchanged, since a 
participant in a consent-to-access model often does not know whether the sought-after 
information contains part 2 information and, therefore, needs to assume that it does. Requiring 
participants to print lengthy consent forms with an updated list of part 2 programs every time a 
new part 2 program is licensed in the relevant state (and developing a system to inform every 
participant about such updates) is simply not feasible. The community consent-to-access model 
was implemented specifically in order to meet the spirit and letter of the 1987 part 2 regulations. 
In addition, federal and state governments have invested hundreds of millions of dollars to build 
statewide health information networks in reliance on the 1987 part 2 regulations, which allow 


consent forms to have a general designation of “From Whom” the records are being disclosed. 
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Theoretically, it is possible for part 2 programs to switch to a consent-to-disclose model while all 
other participants continue to operate under a consent-to-access model. 

Fourth, the flexibility provided in the “To Whom” and “From Whom” sections of the 
consent form are balanced by the specificity in the “Amount and Kind” and “Purpose” sections 
of the consent form. SAMHSA has revised the “Amount and Kind” element on the consent form 
to require the consent form to explicitly describe the substance use disorder-related information 
to be disclosed so that patients will be aware of the substance use disorder information they are 
authorizing to disclose when they sign the consent form. In addition, under the current (1987) 
regulation, consent forms are required to include the purpose of the disclosure. Any disclosure 
made under these regulations must be limited to that information which is necessary to carry out 


the purpose of the disclosure. 


5. New Requirements 

SAMHSA is modifying this aspect of the proposal. SAMHSA proposed to add two new 
requirements related to the patient's signing of the consent form. First, SAMHSA proposed a 
provision that would have required the part 2 program or other lawful holder of patient 
identifying information to include a statement on the consent form that the patient understands 
the terms of their consent. For the reasons explained below, SAMHSA is not incorporating this 
requirement into § 2.31 in this final rule. Second, SAMHSA revised § 2.31 to require the part 2 
program or other lawful holder of patient identifying information to include a statement on the 
consent form that the patient understands their right, pursuant to § 2.13(d), to request and be 


provided a list of entities to which their information has been disclosed when the patient includes 


142 


a general designation on the consent form. SAMHSA is including this requirement in the final 
tule (see § 2.31(a)(4)(iii)(B)(3)@)). 


Public Comments: 





A few commenters supported the additional statement clarifying that the patient 
understands the terms of consent and their rights. One commenter suggested expanding the 
statement to include language about the potential consequences of utilizing a general designation 
in the “To Whom” and “From Whom” fields, which would address concerns about the use of 
two general designations, while preserving the flexibility allowed in the "From Whom" section 
of the current (1987) regulation. 

However, other commenters opposed updating the consent requirements because doing 
so would require providers to update consent forms or would require a separate substance use 
disorder consent form. Several commenters questioned the purpose of the additional signed 
statement. A commenter criticized the proposed language and argued that it was an attempt to 
avoid liability. 

Several commenters argued that patients would not have the capacity to understand what 
they are signing. Furthermore, another commenter stated that a signed statement saying that the 
patient has read the terms of the consent does not mean the patient actually read and understood 
the consent. A commenter recommended a provision to allow the treating physician to sign a 
consent for substance use disorder records for patients who may lack the cognitive ability to sign 
a waiver. 


SAMHSA Response: 





SAMHSA agrees with the commenters that the requirement that the part 2 program or 


other lawful holder of patient identifying information must include a statement on the consent 
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form that the patient understands the terms of their consent is unnecessary. As commenters 
stated, a signature on a confirmation statement does not assure that the patient has, in fact, read 
or understood it. It is also the case, as commenters stated, that some patients may not have the 
capacity, at the time they are admitted, to provide an informed consent. Therefore, SAMHSA has 
eliminated this requirement. 

K. Prohibition on Re-disclosure (§ 2.32) 

SAMHSA is adopting this section as proposed except for a clarifying revision to 
§ 2.32(a). As discussed in the NPRM preamble, the prohibition on re-disclosure provision only 
applies to information that would identify, directly or indirectly, an individual as having been 
diagnosed, treated, or referred for treatment for a substance use disorder and allows other health- 
related information shared by the part 2 program to be re-disclosed, if permissible under the 
applicable law. SAMHSA also clarified in the NPRM preamble that, if data provenance (the 
historical record of the data and its origins) reveals information that would identify, directly or 
indirectly, an individual as having or having had a substance use disorder, the information is 
prohibited from being re-disclosed. In addition, SAMHSA revised § 2.32 to clarify that the 
federal rules restrict any use of the information to criminally investigate or prosecute any patient 
with a substance use disorder, except as provided in §§ 2.12(c)(5) and 2.65. 

1. General 


Public Comments: 





Several commenters generally supported the prohibition on re-disclosure, with some 
stating that the prohibition ensured the confidentiality of the patient’s information and would 
facilitate broader sharing of information among providers and programs in support of integrated 


care, thus increasing quality of care. A commenter supported the delineation between substance 
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use disorder data and other health-related data, particularly the flexibility to share portions of a 
patient’s record that do not fall under part 2 requirements. Another commenter supported 
application of the prohibition on re-disclosure to individuals or entities that receive confidential 
identifying information from lawful holders. 

However, many commenters generally disagreed with the prohibition on re-disclosure. 
Commenters argued that the prohibition created unnecessary barriers and challenges for health 
care providers and would jeopardize patient treatment and care coordination (e.g., due to over- 
restriction of medical records). One commenter argued that the prohibition would prevent the 
inclusion of substance use disorder treatment information within HIE, ACOs, CCOs, and 
research institutions. Another commenter stated the prohibition would prevent substance use 
disorder treatment clinics from being incorporated into integrated care networks. A commenter 
said the prohibition on re-disclosure would prohibit providers or payers from correcting or 
supplementing knowledge of another provider based on fear of violating the law. Lastly, a 
commenter said the proposed rules prohibition on re-disclosure was not different from the 


current (1987) regulation and therefore no clarification was necessary. 





SAMHSA Response: 

SAMHSA is adopting § 2.32 as proposed except for a minor clarification in § 2.32(a). As 
discussed elsewhere in this final rule, SAMHSA is attempting to balance the facilitation of 
information exchange within new health care models that promote integrated care with the 
continued need for confidentiality protections that encourage patients to seek treatment without 
fear of compromising their privacy. SAMHSA acknowledges the legitimate concerns of 
commenters regarding how care coordination relates to patient safety. However, SAMHSA must 


consider the intent of the governing statute (42 U.S.C. 290dd-2), which is to protect the 
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confidentiality of substance use disorder patient records. SAMHSA believes that the prohibition 
on the re-disclosure of information that would identify, directly or indirectly, an individual as 
having been diagnosed, treated, or referred for treatment for a substance use disorder comports 
with its statutory mandate. SAMHSA notes that the revisions to § 2.32 clarify that the 
prohibition on re-disclosure only applies to information that would identify an individual as 
having been diagnosed, treated, or referred for treatment for a substance use disorder, but does 
not apply to health information unrelated to the substance use disorder, such as treatment for an 
unrelated health condition. These revisions should minimize decisions by part 2 programs to 
protect an entire patient record. 


Public Comments: 





Several commenters argued that the original statute for the substance use disorder 
regulations did not prohibit re-disclosure. Another commenter argued that HIPAA did not exist 
when the original regulations regarding substance use disorder data were promulgated and that 
the re-disclosure prohibition was not needed in today’s legal environment. Another commenter 
stated that the re-disclosure prohibition is at odds with the goals of The Mental Health Parity and 
Addiction Equity Act and the Affordable Care Act. 


SAMHSA Response: 





While the statute may not be explicit with regard to certain provisions in 42 CFR part 2, 
the statute directs the Secretary to prescribe regulations to carry out the purpose of the statute, 
which may include definitions and may provide for such safeguards and procedures that in the 
judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to 


prevent circumvention or evasion thereof, or to facilitate compliance therewith. 
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Because 42 CFR part 2 and its governing statute are separate and distinct from HIPAA 
and due to its targeted population, part 2 provides more stringent federal protections than most 
other health privacy laws, including HIPAA. However, SAMHSA aligned policy with HIPAA 
where possible. 

SAMHSA strives to facilitate information exchange within new health care models while 
addressing the legitimate privacy concerns of patients seeking treatment for a substance use 
disorder. These concerns include: the potential for loss of employment, loss of housing, loss of 
child custody, discrimination by medical professionals and insurers, arrest, prosecution, and 
incarceration. 


2. Impact of Re-Disclosure Prohibition on Patient Privacy and Patient Choice 





Public Comments: 





Several commenters expressed concerns that the prohibition on re-disclosure did not 
improve patient privacy protections. A commenter stated that the proposed changes allowed 
more disclosures without patient notice, undermining the goal of protecting a patient’s privacy. 
A commenter argued that any information given by a substance use disorder treatment program, 
including a refusal to provide information, could identify an individual as having a substance use 
disorder (whether or not the patient actually does) or having received treatment for a substance 
use disorder. Another commenter argued against expanding the scope of part 2 to non-substance 
use disorder conditions which may unfairly suggest the presence of a substance use disorder. 

Several commenters expressed concern that the prohibition on re-disclosure interfered 
with a patient’s choice on whether to disclose their medical record. Commenters argued that the 
prohibition on re-disclosure imposed an unnecessary burden on substance use disorder patients 


who wish to have the same level of quality coordinated care as other patients. Several 
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commenters expressed concern that the prohibition on re-disclosure required patients to 
anticipate future care. Several commenters argued that a patient should be allowed to consent to 
or otherwise control the re-disclosure of their information. 


SAMHSA Response: 





Patients may permit re-disclosures of their information via written consent. Part 2- 
compliant consent forms can authorize an exchange of information between multiple parties 
named in the consent form. The key is to make sure the consent form authorizes each party to 
disclose to the other ones the information specified and for the purpose specified, in the consent. 
In addition, the revised consent requirements allow patients, under certain circumstances, to 
authorize disclosure of their information via a general designation (e.g., to “all my current and 
future treating providers’’) rather than to specifically name each recipient. 

As SAMHSA has stated in this regulation, the “To Whom” section of the consent form 
can authorize a disclosure of patient identifying information to an entity that does not have a 
treating provider relationship with the patient whose information is being disclosed and acts as 
an intermediary for its participants, such as an HIO, and a general designation of individual and 
entities with a treating provider relationship with the patient whose information is being 
disclosed that are participants. The required statement prohibiting re-disclosure should 
accompany the information disclosed through consent along with a copy of the part 2-compliant 
consent form (or the pertinent information on the consent form necessary for the intermediary to 
comply with the signed consent), so that each subsequent recipient of that information is notified 
of the prohibition on re-disclosure. 


3. Disclosure of Information that May Indicate a Substance Use Disorder 





Public Comments: 
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Several commenters argued that determining which conditions and medications would 
“identify a patient as having or having had a substance abuse order” would be a burden on 
providers. Commenters said most staff within an HIE do not have the qualifications (e.g., clinical 
knowledge regarding medical conditions and medications) to distinguish which information 
could indicate an individual’s substance use disorder and would thus need to be trained 
accordingly. Commenters stressed that the difficulty in determining what patient information 
would indicate a patient had a substance use disorder would discourage providers and health 
plans from exchanging information, further inhibiting coordinated care and enforcing differential 
treatment of individuals with substance use disorders. 

Several commenters expressed concern that the language of the proposed rule was too 
broad. A commenter said the provision was problematic because many medications are 
frequently related to substance use disorder or other physical or mental conditions, so there is a 
risk of indicating a patient had a substance use disorder whether or not the patient actually did 
have a substance use disorder. Similarly, commenters argued that preventing disclosure of 
information that suggests a substance use disorder is too broad and would overly restrict the 
information available to health care providers, thus endangering patient safety. A commenter 
recommended that SAMHSA interpret “identifies a patient as having or having had a substance 
use disorder” to mean only information that actually identifies a patient as having a substance 
use disorder, rather than including information that merely suggests that a person might have an 
substance use disorder. A commenter recommended that the provision be interpreted as written 
in the rule language, not as expansively considered in the NPRM preamble. 

One commenter argued that a prescription for a certain drug is not enough to identify a 


person as having a substance use disorder, let alone indicate the person is receiving care from a 
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substance use disorder program. The commenter stated that this ambiguity is sufficient to be able 
to say that the information does not “identify” the person as having a substance use disorder or, 
moreover, that they are being treated in a program. 

A commenter stated that, when the data sharing of the records are redacted to remove all 
evidence of substance use disorder they become worthless in terms of ensuring improved client 
care. Further, this commenter said that there is no way to ensure such redaction would be done 
effectively and that there is a high risk of inadvertent disclosure, which cannot be made private 
again. 


SAMHSA Response: 





Comments received by SAMHSA suggest that the discussion in the NPRM of re- 
disclosure regarding medications and examples provided were not clear. Both the proposed rule 
and this final rule prohibit re-disclosure of part 2 information that would identify, directly or 
indirectly, an individual as having been diagnosed, treated, or referred for treatment for a 
substance use disorder, such as indicated through standard medical codes, descriptive language, 
or both, unless further disclosure is expressly permitted by the written consent of the individual 
whose information is being disclosed or is otherwise permitted by the part 2 statute or 
regulations. Such information could, in some circumstances, include part 2 information 
concerning a patient’s prescription for a medication typically used for medication-assisted 
treatment or a disease or condition frequently associated with substance use disorders. While 
certain medical information in and of itself may not identify a patient as having a substance use 
disorder and approved medications may be used for various purposes, the context of this 
preamble and § 2.32 concerns the re-disclosure of information that is directly related to the 


patient’s undergoing treatment for substance use disorders. Therefore, it is considerably more 
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likely that the re-disclosure of such information would result in identifying the patient as 
receiving treatment for a substance use disorder. By contrast, a patient who is not receiving such 
treatment (and, therefore, whose health information is not covered by this rule) would not face 
such risks even if their medication or condition is frequently associated with substance use 
disorders. It is also important to note that in some cases, patients may expressly consent to 
further re-disclosure and that such re-disclosure may in some cases be allowed under other 
provisions of this rule. SAMHSA understands that this is an important topic and may provide 
additional subregulatory guidance on this issue after the publication of this final rule. 


4. Technical Challenges in Preventing Unauthorized Re-disclosure 





Public Comments: 





Commenters expressed concern that, due to how information is exchanged electronically, 
it may be technically difficult for the medical industry to prevent re-disclosure. Commenters 
argued that providers do not have the technical ability to segregate substance use disorder 
content and redact that information from being sent to new providers who use or review the 
record. More specifically, a commenter argued that EHR currently have the ability to contribute 
patient data to an HIE or a Regional Health Information Organization (RHIO) at the patient 
level, not at the services rendered level. A commenter stated that this capability was five to ten 
years away. A commenter argued that if the outputs of the DS4P’s pilots were refined and 
required under the federal health IT certification program, there would have been solution for the 
re-disclosure of substance use disorder information. 

Several commenters expressed concern about the lack of technical standards. A 
commenter recommended that SAMHSA adopt clear technical methods and standards for 


recipients of disclosures, by which part 2 providers and programs would be able to identify 
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which records are not part 2 sensitive and can be incorporated directly into recipient’s EHR. 
Similarly, a commenter stated there needed to be standards for all EHR Vendors and HIEs to 
address the re-disclosure prohibition. 

Some commenters expressed concern about the burden of upgrading their record system 
to comply with the prohibition on re-disclosure. Commenters stated that the re-disclosure 
prohibition would require upgrades and modifications to EHR and HIEs. A commenter stated 
that SAMHSA should provide funding to upgrade HIE systems or HIEs would be likely to refuse 
to accept substance use disorder data. 

Many commenters said the prohibition on re-disclosure and the technical limitations 
many providers faced in preventing re-disclosure would have adverse impacts on sharing of 
information and patient care. A commenter stated that, due to the technical limitations, some 
providers would continue to prohibit re-disclosure of the patient’s entire medical record. Other 
commenters argued that the technical limitations would result in substance use disorder 
information being kept out of the electronic health care environment, leaving gaps that could 
contribute to poor patient outcomes. A commenter stated that part 2 programs would be unable to 
participate in integrated care delivery models because their system was not equipped to segregate 
substance use disorder data. 

A commenter stated that SAMHSA should encourage the expansion of meaningful use to 
allow behavioral health care providers to adopt data segmentation technology. A commenter 
stated that, in light of the EHR requirements under meaningful use, SAMHSA should consider 
ways to reduce the burden on entities using EHR with respect to disclosure statements under 


§ 2.32. Another commenter argued that SAMHSA should simply issue consent recommendations 
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and incorporate more complex structures, such as data segmentation, in a broader mandate or on 
other requirements in order to allow sufficient time for implementation. 


SAMHSA Response: 





SAMHSA actively supports the continued development of data standards to support the 
integration of substance use disorder treatment in emerging health care models. The Data 
Segmentation for Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) 
Framework facilitated the development of standards to improve the interoperability of EHRs 
containing sensitive information that must be protected to a greater degree than other health 
information due to 42 CFR part 2 and similar state laws. The DS4P standard allows a provider to 
tag a C-CDA document with privacy metadata that expresses the data classification and possible 
re-disclosure restrictions placed on the data by applicable law. This aids in the electronic 
exchange of sensitive health information. In October 2015, ONC adopted the DS4P standard as 
part of the 2015 Edition health IT certification criteria. The DS4P certification criteria require 
health IT to demonstrate the ability to send and received summary care records that are 
document-level tagged. SAMHSA will continue to work with ONC to further refine the DS4P 
standard so that it can be applied to segment data at the data element level in the manner 
described in ONC’s “Connecting Health and Care for the Nation: A Shared Nationwide 


992 


Interoperability Roadmap — Version 1.0 Final (Roadmap),”” and to accelerate the adopting of the 


DS4P send and receive standards. 


* https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version- 
1.0.pdf. 
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Regarding re-disclosure, the primary advantage of continuing the prohibition on re- 
disclosure by recipients of a disclosure with patient consent is that it assures a greater measure of 
confidentiality for patient identifying information. SAMHSA strives to facilitate information 
exchange within new health care models while addressing the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder. These concerns include: the potential for 
loss of employment, loss of housing, loss of child custody, discrimination by medical 
professionals and insurers, arrest, prosecution, and incarceration. 

The prohibition on re-disclosure predates this rulemaking and providers were already 
required to comply with the existing provision. SAMHSA proposed only minor changes to the 
provision for clarity, which should not necessitate system upgrades. Therefore, SAMHSA 
declines to respond to comments regarding the burdens of system upgrades to comply with the 
prohibition on re-disclosure. 

Finally, SAMHSA works closely with its federal colleagues to improve the integration of 
substance use disorder treatment providers and their data. Although the part 2 authorizing statute 
does not give SAMHSA authority to mandate data segmentation, as noted above, DS4P was 
included in the ONC 2015 Edition Health IT Certification Criteria (2015 Edition). SAMHSA has 
also supported the development of the application branded Consent2Share, an open-source health 
IT solution based on DS4P which assists in consent management and data segmentation and will 
continue to work to improve the granularity of how the DS4P standard operates. 


5. Requests for Clarification of the Re-Disclosure Prohibition 





Public Comments: 





Commenters requested clarification on various aspects of the re-disclosure prohibition. 


Some commenters asked for clarification on what records were subject to the re-disclosure 
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prohibition (e.g., the actual record, or the part 2-compliant record that is now incorporated into 
the physician’s notes at the receiving institution). The commenters requested examples of how 
data may, or may not, be disclosed after lawful receipt of part 2 data. 

A commenter suggested that SAMHSA confirm that only records that originated at a part 
2 program are subject to the prohibition on re-disclosure. 


SAMHSA Response: 





Once patient identifying information has been initially disclosed (with or without patient 
consent), no re-disclosure is permitted without the patient’s express consent to re-disclose or 
unless otherwise permitted by the part 2 statute or regulations. Only disclosure of patient 
identifying information made with the patient's written consent must be accompanied by a 
written notice regarding the part 2 prohibition on re-disclosure. Although there is no requirement 
to provide such written notice to individuals and entities who receive information through other 
means under the part 2 program, all lawful holders must comply with the part 2 program 
requirements, including, but not limited to the limitations on re-disclosure. 

Regarding requested confirmation that only records originated at a part 2 program are 
subject to the prohibition on re-disclosure, SAMHSA clarifies that individuals and entities that 
are not covered by part 2 that possess substance use disorder data that did not originate in a part 
2-covered provider are not subject to the part 2 program requirements. However, if those 
individuals and entities received that information that is subject to part 2 via patient consent 
(with or without the notice of prohibition on re-disclosure) or through any other means under the 
part 2 program (i.e., through means that made them a lawful holder), they would be required to 


comply with part 2. 


Public Comments: 
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Several commenters asked for clarification with regard to disclosing prescription 
medications. A few commenters asked whether prescription medications could be disclosed 
without consent if the prescriber states that the prescription is not for substance use disorder 
treatment. Another commenter asked what the requirements were for medications that are used 
“off label” to treat substance use disorder and medications that treat withdrawal. A commenter 
asked for clarification on whether providers in part 2 programs, who do not reveal their part 2 
program affiliation, would be prohibited from disclosing information about substance use 
disorder prescriptions that are also prescribed for non-substance use disorder purposes, unless the 
patient has consented to the disclosure. 


SAMHSA Response: 





SAMHSA agrees that part 2 would permit the disclosure of information without patient 
consent relative to a medication that is used for both substance use disorder and non-substance 
use disorder purposes, even when it is being prescribed for the purpose of substance use disorder 
treatment. In disclosing the information, both the provider and the data provenance must not 
identify the provider as being affiliated with a part 2 program or prescribing the substance use 
disorder medication for substance use disorder treatment. 


Public Comments: 





Regarding the prohibition on re-disclosure, a commenter requested that SAMHSA 
provide clarification on what impact a court order has on sharing information otherwise deemed 
confidential under the part 2 regulations. 


SAMHSA Response: 





SAMHSA has previously stated in FAQ guidance concerning re-disclosures that when 


information is disclosed pursuant to an authorizing court order, part 2 requires that steps be taken 
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to protect patient confidentiality. In a civil case, part 2 requires that the court order authorizing a 
disclosure include measures necessary to limit disclosure for the patient’s protection, which 
could include sealing from public scrutiny the record of any proceeding for which disclosure of a 
patient’s record has been ordered [42 CFR § 2.64(e)(3)]. In a criminal case, such order must limit 
disclosure to those law enforcement and prosecutorial officials who are responsible for or are 
conducting the investigation or prosecution, and must limit their use of the record to cases 
involving extremely serious crimes or suspected crimes [42 CRF § 2.65(e)(2)]. 


Public Comments: 





A commenter asked how a mixed-use mental health and substance use treatment facility 
should handle re-disclosure and how SBIRT would be addressed under this section. 


SAMHSA Response: 





Only the substance use disorder information is covered by part 2. The mental health 
information is not. The prohibition on re-disclosure only applies to information that would 
identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for 
treatment for a substance use disorder, such as indicated through standard medical codes, 
descriptive language, or both, and allows other health-related information shared by the part 2 
program to be re-disclosed, if permissible under other applicable laws. 


6. Recommendations to Improve the Prohibition on Re-Disclosure 





Public Comments: 





Several commenters recommended exclusions to the prohibition on re-disclosure of 
substance use disorder patient data. A commenter said patients should be able to consent to the 
disclosure of substance use disorder information to a covered entity and such information would 


be protected by HIPAA, but would be free from the re-disclosure prohibition. Some commenters 
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said SAMHSA should permit re-disclosure of substance use disorder treatment information for 
the purpose of treatment and/or care coordination. Another commenter suggested an exemption 
for providers within a given POMP, CCO, ACO or HIE, for the purposes of treatment, payment, 
or health care operations. A commenter said SAMHSA should allow re-disclosures without 
patient consent for public health purposes to prevent disease or control injury or disability. 
Lastly, a commenter said SAMHSA should add a category under subpart D “Disclosures without 
Patient Consent” to include state health data organizations that collect data under a legislative 
authority. 


SAMHSA Response: 





Due to its targeted population, part 2 provides more stringent federal protections than 
most other health privacy laws, including HIPAA. In light of the statute, SAMHSA declines to 
create the specific suggested exclusions from the use and disclosure restrictions. SAMHSA will 
specifically address disclosures to subcontractors and contractors for health care purposes in the 
SNRPM. 


Public Comments: 





Commenters requested that SAMHSA provide guidance in several areas, including the 
type of permissible information that can be disclosed; applicability to co-occurring disorders; and 
applicability to multi-use organizations. A commenter said SAMHSA should publish the 
medical codes (e.g., ICD-10s) that are affected by this provision. 


SAMHSA Response: 





As for the type of permissible information that can be disclosed, the proposed 
clarifications to § 2.32 clarify that the prohibition on re-disclosure only applies to information 


that would identify, directly or indirectly, an individual as having been diagnosed, treated, or 
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referred for treatment for a substance use disorder, such as indicated through standard medical 
codes, descriptive language, or both, and allows other health-related information shared by the 
part 2 program to be re-disclosed, if permissible under other applicable laws. 

Regarding the re-disclosure of information related to co-occurring disorders, only the 
substance use disorder information is covered by part 2. The mental health information in a 
patient record is not. However, part 2 programs must ensure adequate confidentiality protections 
for mental health patient data that are applicable based on any relevant federal or state law. 


Public Comments: 





Commenters proposed many other recommendations to improve the re-disclosure 
provision. One commenter said the rule should specify the consequences part 2 providers will 
face if they violate the proposed rule’s prohibition on re-disclosure. A commenter said non-part 2 
programs that prescribe substance use disorder medication should not be forbidden from 
disclosing such prescriptions, nor required to state the purpose of the medication. A commenter 
said the rule should continue to prohibit information being shared with law enforcement for 
criminal prosecution. A commenter said SAMHSA should include an updated sample Notice of 
Prohibition of Re-disclosure in the final rule. One commenter said patients should have the 
ability to remove their substance use disorder history from their medical record after ten years. A 
commenter said SAMHSA should rescind the proposed prohibition on re-disclosure relative to 
general designations and advocate for the medical community to do more within their industry to 
recognize and provide appropriate, comprehensive care for those living with substance use 
disorders. 


SAMHSA Response: 
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Regarding the consequences for violation of the re-disclosure prohibition, each disclosure 
made with the patient’s written consent must be accompanied by the notice of prohibition on re- 
disclosure. Under 42 U.S.C. 290dd-2 (f), any person who violates any provision of this section 
or any regulation issued pursuant to this section shall be fined in accordance with Title 18. 

Regarding the comment on non-part 2 prescribers, prescribers that are not covered by part 
2 are not prohibited from disclosing such prescriptions nor required to specify the purpose of 
such prescriptions. 

On prohibition of information being shared with law enforcement for criminal 
prosecution, this prohibition remains in effect. Specifically, SAMHSA has clarified § 2.32(a) to 
state “[t]he federal rules restrict any use of the information to criminally investigate or prosecute 
any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65.” 


Public Comments: 





A commenter stated that individuals or entities who are not part 2 programs may not be 
familiar with the specific consent requirements of part 2, so the next-to-last sentence of § 2.32 
should include a citation to § 2.31. 


SAMHSA Response: 





SAMHSA appreciates the suggestion and has revised § 2.32 to add a reference to the 
§ 2.31 to the penultimate sentence in paragraph (a). 

L. Disclosures to Prevent Multiple Enrollments (§ 2.34) 

SAMHSA is adopting this section as proposed. SAMHSA has modernized § 2.34 by 
updating terminology and revising corresponding definitions. SAMHSA also consolidated 
definitions by moving definitions from this section to the part 2 definitions provision (§ 2.11), as 


discussed in Section III.D. 
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Public Comments: 





A few commenters supported disclosures to prevent multiple enrollments. Some urged 
the proposed regulations to go further and specifically allow registries in the form of HIEs or 
PDMPs to share controlled substance prescriptions in the same manner that it would allow 
withdrawal management or maintenance treatment programs. The aim would be to prevent 
multiple prescribing of prescription drugs that can be abused. Other commenters argued that the 
registry should be available to check enrollment beyond 200 miles. Asserting that the 
requirement to list every site that may be contacted in the consent document is an unusual 
burden, one of these commenters suggested that the concern can be better addressed by 
indicating “any licensed treatment center within the state when a patient presents for treatment.” 
One commenter requested clarification as to what type of “central registry” is being considered 
for disclosure of patient records. Another suggested language that allows for multiple payments 
to providers in situations where clients are enrolled in multiple programs and where programs 
may be obtaining multiple payments for multiple services. 


SAMHSA Response: 





Central registries, defined as “an organization that obtains from two or more member 
programs patient identifying information about individuals applying for withdrawal management 
or maintenance treatment for the purpose of avoiding an individual’s concurrent enrollment in 
more than one treatment program,” serve a different purpose than HIEs or PDMPs. According to 
the Centers for Disease Control and Prevention, PDMPs are state-run electronic databases used 
to track the prescribing and dispensing of controlled prescription drugs to patients. They are 
designed, in part, to monitor this information for suspected abuse or diversion (i.e., channeling 


drugs into illegal use), and can give a prescriber or pharmacist critical information regarding a 
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patient’s controlled substance prescription history. Although PDMPs may serve many valuable 
purposes, SAMHSA decided not to address issues pertaining to e-prescribing and PDMPs in the 
final rule because, as stated in the NPRM, they were not ripe for rulemaking at the time due to 
the state of technology and because the majority of part 2 programs are not prescribing 
controlled substances electronically. 

Under § 2.34(a)(3)(ii), the consent may authorize a disclosure to any withdrawal 
management or maintenance treatment program established within 200 miles of the program 
after the consent is given without naming any such program. Regarding comments on the 200- 
mile limit, SAMHSA declines to make any changes to the 200-mile limit because it is unlikely 
that a patient would be enrolled in multiple programs greater than 200 miles from each other. 
The regulations do not confine the 200-mile limit to within a state. 

As for the request to allow a consent for disclosure to “any licensed treatment center 
within the state where a patient presents for treatment,” SAMHSA has concluded that the 
proposed specificity is needed. Section 2.34 requires that the consent must list the name and 
address of each central registry and each known withdrawal management or maintenance 
treatment program to which a disclosure will be made. This specificity was retained because the 
purpose of the section is to prevent multiple enrollments that would result in a patient receiving 
substance use disorder treatment medication from more than one provider, thereby increasing the 
likelihood for an adverse event or diversion. 

Regarding the request to allow for multiple payments to providers in situations where 
clients are enrolled in multiple programs and where programs may be obtaining multiple 
payments for multiple services, SAMHSA has determined that this request it outside of the scope 


of the proposed part 2 changes in the NPRM. 
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M. Medical Emergencies (§ 2.51) 

SAMHSA is adopting this section as proposed. SAMHSA has revised the medical 
emergency exception to give providers more discretion to determine when a “bona fide medical 
emergency” (42 U.S.C. 290dd-2(b)(2)(A)) exists. The revised language states that patient 
identifying information may be disclosed to medical personnel to the extent necessary to meet a 
bona fide medical emergency in which the patient's prior informed consent cannot be obtained. 
SAMHSA continues to require the part 2 program to immediately document, in writing, specific 
information related to the medical emergency. 

1. General 


Public Comments: 





Many commenters expressed support for the proposed change in language of the medical 
emergency exception to provide medical personnel with increased discretion to determine a 
“bona fide medical emergency.” Some commenters expressly supported aligning the regulatory 
language with the statutory language for medical emergencies. A commenter supported the 
special rule that would allow the disclosure of patient identifying information to medical 
personnel at the FDA who provide reason to believe that the health of any individual may be 
threatened by a product under the FDA’s jurisdiction and that the information used solely for 
notifying the patient or their physicians of the potential dangers. 

However, several commenters warned that part 2 programs should not be expected to 
assume the unrealistic burden of liability for a HIE’s capability to comply with all part 2 
requirements. Another commenter argued the current medical emergency exception is clear 
under current (1987) law and providers are already making the determination as to what 


constitutes an emergency. 
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SAMHSA Response: 





SAMHSA appreciates the support of commenters on this issue. With regard to the 
comment about the burden of liability, SAMHSA asserts that the treating provider must make the 
determination as to whether a bona fide medical emergency exists. However, concern alone 
about potential drug interaction may not be sufficient to meet the standard of a medical 
emergency. Thus, based on the circumstances of the presenting situation, SAMHSA recommends 
that health care providers obtain consent from the patient where feasible. 


2. Definition of “Bona Fide Medical Emergency” 





Public Comments: 





Commenters provided various suggestions for expanding the definition to include 
disclosure of records for mental health involuntary commitment evaluations and other 
psychiatric emergencies; to detoxification centers; when there is “risk of serious harm” to self or 
others by reason of an substance use disorder; in order to save a life or prevent further injury of a 
person who is not able to make a rational decision due to mental impairment; and to prevent 
suicide. Several commenters asserted the revisions should include an exception for disclosure 
without consent in order to prevent medical emergencies from occurring in the first place. Other 
commenters suggested not limiting this section to only medical emergencies, but allowing 
disclosures for treatment, payment, and operation purposes. A few commenters supported adding 
a duty to warn exception where a substance use disorder patient discloses intent, plan, or means 
to inflict harm onto another individual or the public. 


SAMHSA Response: 





On the request to expand the definition, while the statute authorizes an exception for a 


bona fide medical emergency, broadening this provision to include non-emergency situations 
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would be inconsistent with the statutory scheme. With respect to warnings, part 2 does not 
impose a duty to warn — or a duty to disclose any information. It only governs when disclosures 
may be made, not when they must be made. SAMHSA has previously provided FAQ guidance 
on when a part 2 program may make a disclosure without divulging patient identifying 
information. SAMHSA will monitor this issue and may consider whether additional 
subregulatory guidance in the future may be helpful. 

Regarding involuntary commitment, patient identifying information may be disclosed to 
medical personnel to the extent necessary to meet a bona fide medical emergency in which the 
patient's prior informed consent cannot be obtained. This may include situations in which the 
patient is not regarded as being legally competent under the laws of their jurisdiction. Such 
circumstances may apply when a patient is subject to an involuntary commitment (i.e., formally 
committed for behavioral health treatment by a court, board, commission, or other lawful 
authority). Consistent with § 2.51, during the period of time a patient is not regarded as being 
legally competent, any previously established, unrevoked, or unmodified general designation 
remains valid for their current treating providers until such time as the individual’s competency 
is restored. The treating provider(s) would, in such circumstances, be expected to follow 
provisions of this rule pursuant to medical emergencies, including all documentation 
requirements. Importantly, at any time when a patient is legally competent, they may modify 
their general designation consistent with the provisions of this final rule. 


Public Comments: 





Other commenters suggested restrictions on the definition of “bona fide medical 
emergency” or other limitations to the medical emergency exception. Several recommended that 


the final rule explicitly state that the medical emergency exception continues to be limited to 
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circumstances in which an individual needs immediate medical care and the patient’s consent 
cannot be obtained. The medical emergency exception does not apply to situations where the 
patient could but will not consent, since the exception should not be used to avoid obtaining 
consent. A commenter urged that a “bona fide medical emergency” be limited to circumstances 
in which an individual needs immediate medical care because of an immediate (not future) threat 
to a person’s health. 

A commenter asserted that it be specified that a “medical emergency” is determined by 
the treating provider. 

A commenter asserted that the information disclosed in a “bona fide medical emergency” 
should be more clearly limited and the rule should require the provider to affirmatively share the 
required documentation of the disclosure with the patient. 

A commenter stated that part 2 information disclosed in a medical emergency should not 
be re-disclosed for criminal investigation or prosecution. 

A few commenters advocated for emergency care providers to be permitted to access 
only limited part 2 information available through a HIE. 


SAMHSA Response: 





On situations in which the patient could but will not consent, SAMHSA has not revised 
the regulatory language, but agrees that “patient consent could not be obtained” refers to the fact 
that the patient was incapable of providing consent, not that the patient refused consent. 

With regard to the request that a “medical emergency” be determined by the treating 
provider, SAMHSA clarifies that any health care provider who is treating the patient for a 


medical emergency can make that determination. 
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On limiting the information disclosed, § 2.13(a) of the rule indicates that the amount of 
information to be disclosed “must be limited to that information which is necessary to carry out 
the purpose of the disclosure.” 

With regard to the comment on re-disclosure, SAMHSA will address re-disclosure of part 
2 information obtained during a medical emergency in subregulatory guidance rather than in the 
rule, as it has in the past. 


Public Comments: 





Several commenters asserted that automated or pre-determinations for medical 
emergencies should be allowed. A commenter suggested that pre-defining the criteria for 
medical emergency would enable HIEs to automate the decisions about whether a patient visit is 
a medical emergency. The commenter said such criteria could be defined by each individual 
hospital or could be based on national standards. Another commenter argued that Level of Care 
Utilization System (LOCUS) scores and the ASAM levels could be used as clinical standards for 
determining “bona fide emergency” situations where behavioral health information should be 
more broadly shared. 


SAMHSA Response: 





Automated electronic health information systems can be programmed to flag specific 
patient information for medical personnel to use in determining whether a bona fide medical 
emergency exists and may be programmed to provide alerts to authorized providers. However, as 
SAMHSA has explained in previous FAQ guidance, one may not automate the determination of 
a medical emergency. 


Public Comments: 
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Many commenters requested examples of emergency situations in order to minimize 
confusion among providers and organizations as to the circumstances under which medical 
emergencies would be valid. Many of these commenters provided their own instances requesting 
clarification if disclosure would be necessary. 


SAMHSA Response: 





SAMHSA plans to provide the requested examples in subregulatory guidance after the 


publication of this final rule. 


3. Documentation of Medical Emergency 





Public Comments: 





Many commenters argued for removal of the requirement that a part 2 program 
immediately document a disclosure pursuant to a medical emergency. A commenter stated that 
SAMHSA should simplify the existing onerous documentation requirements that impede vital 
sharing of information. Another commenter suggested part 2 programs should rely on other 
functionalities that retain disclosure and specific information related to the medical emergency, 
such as audit reports. 

A commenter suggested the language be modified to allow the part 2 program to 
document the disclosure “promptly” rather than “immediately.” 

Other commenters suggested eliminating the requirement to provide “the name of the 
medical personnel to whom disclosure was made.” 

Another commenter asserted that the rule should allow an HIE to maintain documentation 


of disclosures for the part 2 program and provide ongoing access to such information. 
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A commenter suggested that a “list of the information disclosed” be added to the list of 
information that must be entered into the patient record at the time of the emergency disclosure. 


SAMHSA Response: 





SAMHSA is not convinced of the benefit of replacing “immediately” with “promptly,” 
particularly since neither term is defined in the final rule. With regard to the suggestion to 
eliminate the requirement to provide “the name of the medical personnel to whom disclosure was 
made,” the current (1987) part 2 regulations (as well as the regulatory language in the NPRM) 
require part 2 programs to document the name of the medical personnel to whom disclosure was 
made and their affiliation with any health care facility because it is important for that information 
to be available to the part 2 program and the patient. 


4. Other Comments on Medical Emergencies 





Public Comments: 





Some commenters suggested that SAMHSA expand who is authorized to access 
emergency records. Some commenters requested the definition of “medical personnel” include 
any professional who provides health-related services, including behavioral health services, 
rather than being limited to medical doctors, nurses, and emergency medical technicians. Other 
commenters suggested the language be changed so that “non-medical personnel” who are 
currently working with clients in an emergency situation have access to the patient emergency 
record. A commenter argued that substance use disorder patients commonly face medical 
emergencies and therefore it is prudent for an emergency department be named or identified 


under the “general disclosure” provision. 





SAMHSA Response: 
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Part 2 allows patient identifying information to be disclosed to medical personnel in a 
medical emergency. Part 2 does not define the term “medical personnel” but merely provides 
that information can be given to medical personnel who have a need for information about a 
patient in a bona fide medical emergency. It is up to the health care provider or facility treating 
the emergency to determine the existence of a medical emergency and which personnel are 
needed to address the medical emergency. The name of the medical personnel to whom the 
disclosure was made, their affiliation with any health care facility, the name of the individual 
making the disclosure, the date and time of the disclosure, and the nature of the medical 
emergency must be documented in the patient’s records by the part 2 program disclosing the 
information. SAMHSA does not have the authority to permit information to be disclosed to 
"non-medical personnel" pursuant to a medical emergency because the authorizing statute for the 
regulations codified at 42 CFR part 2 limits disclosures to "medical personnel.” 

With regard to identifying emergency departments under the “general disclosure” 
provision, the medical emergency exception requires that a provider determine that a bona fide 
medical emergency exists and that a patient’s visit to an emergency room does not automatically 
constitute such an emergency. SAMHSA reiterates that there is a difference between refusal to 
consent and being incapable of consenting to disclosure. 


Public Comments: 





Commenters requested clarification on which entity, the receiving emergency department 
or HIE, would be obligated to maintain part 2-compliance with information received through a 
declared patient emergency. A commenter argued the rule should state that a hospital emergency 


room or other health care provider that obtains program information under the medical 


170 


emergency exception would not be subject to part 2 rules with respect to such program 
information. 


SAMHSA Response: 





Part 2 requires that when a disclosure is made in connection with a medical emergency, 
the part 2 program must document in the patient's record the name and affiliation of the recipient 
of the information, the name of the individual making the disclosure, the date and time of the 
disclosure, and the nature of the emergency. Thus, data systems must be designed to ensure that 
the part 2 program is notified when a “break the glass” disclosure occurs and part 2 records are 
released pursuant to a medical emergency. The notification must include all the information that 
the part 2 program is required to document in the patient’s records. The information about 
emergency disclosures should also be kept in the HIE’s electronic system. Regarding the 
requests for clarification on part 2 applicability to information disclosed pursuant to a medical 
emergency, SAMHSA understands the importance of these questions. However, because these 
issues are not related to specific proposals made in the NPRM, SAMHSA plans to address them 
in subregulatory guidance after the publication of the final rule. 


Public Comments: 





A commenter warned that emergency disclosures for requesting of part 2 records can 
occur by means other than solely through an HIE. 


SAMHSA Response: 





The EHR is the vehicle for the disclosure of the part 2 record but not the decision-maker. 
The name of the person who makes the determination to disclose and discloses the information 
electronically through an EHR system should be recorded. SAMHSA clarifies that the example 


used of an HIE was not meant to be exhaustive to include all potential sources of disclosures. 
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N. Research (§ 2.52) 

SAMHSA is modifying this section from the regulatory text proposed, as described in 
detail below. SAMHSA is implementing several changes to the research provision. First, we 
have revised the section heading by deleting the word “activities.” In addition, SAMHSA has 
revised the research exception to permit data protected by 42 CFR part 2 to be disclosed by any 
individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data) under 
certain conditions. 

SAMHSA also addressed data linkages because the process of linking two or more 
streams of data opens up new research opportunities and potential risks. In the NPRM, 
SAMHSA proposed to permit researchers to request to link data sets that include patient 
identifying information if (1) the data linkage uses data from a federal data repository, and (2) 
the project, including a data protection plan, is reviewed and approved by an Institutional Review 
Board (IRB) registered with the Office for Human Research Protections (OHRP) in accordance 
with 45 CFR part 46. SAMHSA requested comments in the NPRM on whether to expand the 
data linkages provision beyond federal data repositories. After considering the public comments 
received on this topic, as discussed in greater detail below, SAMHSA has revised the data 
linkages provision to permit researchers to link to federal and non-federal data repositories 
provided certain conditions are met. 

The revised § 2.52 permits a researcher to include part 2 data in reports only in aggregate 
form. SAMHSA clarified in this final rule that, with respect to these types of reports, the patient 
identifying information has been rendered non-identifiable such that the information cannot be 
re-identified and serve as an unauthorized means to identify a patient, directly or indirectly as 


having or having had a substance use disorder. SAMHSA requires any individual or entity 
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conducting scientific research using patient identifying information to meet additional 
requirements to ensure compliance with confidentiality provisions under part 2. Note that de- 
identified information can be shared for the purposes of research; this was the status quo under 
the previous part 2 regulations, and this final rule does not change that. 

Finally, § 2.52 addresses, in addition to the maintenance of part 2 data, the retention and 
disposal of such information used in research. SAMHSA expanded the provisions in § 2.16 
(Security for records) and references the policies and procedures established under § 2.16 in 
revised § 2.52. The NPRM language in (a)(1) only referenced “the HIPAA privacy rule at 45 
CFR 164.512(i)” while the final rule regulatory language in (a)(1) now says: “consistent with the 
HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable’. 

1. General 


Public Comments: 





Many commenters expressed support for revising the research exception to permit data 
protected by part 2 to be disclosed to qualified personnel for the purpose of conducting scientific 
research by a part 2 program or any other individual or entity that is in lawful possession of part 
2 data (lawful holder of part 2 data). Many commenters expressed general support for expanding 
the circumstances in which research may be conducted with part 2 data. Many commenters 
supported disclosure of data from other lawful holders of substance use disorder records with 
researchers. Commenters supported the prevention of data scrubbing of records and other data 
suppression related to substance use disorders. Some commenters specified support to stop 
“suppression” of Medicare and Medicaid data from any records associated with substance use 
disorder. 


SAMHSA Response: 
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SAMHSA’s revisions to the research provision address these concerns regarding access 
to substance use disorder information from CMS claims/encounter data disclosed for research 
purposes. First, the research provision permits part 2 programs and other lawful holders of 
patient identifying information (not just part 2 program directors) to disclose data protected by 
42 CFR part 2 to qualified personnel for the purpose of conducting scientific research if the 
researcher provides documentation of meeting certain requirements related to other existing 
protections for human research. Second, SAMHSA also addressed data linkages to enable 
researchers holding part 2 data to link to data sets from federal and non-federal data repositories 
provided certain conditions are met as spelled out in section 2.52. 


Public Comments: 





Another commenter supported the use of data use agreements for all research transfers of 
part 2 information and requested the proposed regulation provide examples of these agreements. 
A commenter stated that the agency should allow research of additional administrative data sets 
such as those held by HIEs, ACOs, state Medicaid agencies, commercial insurance companies, 
and Medicare Advantage plans with appropriate IRB reviews. 


SAMHSA Response: 





Although not required by § 2.52, the regulation would permit any lawful holder of patient 
identifying information to require a researcher sign a data use agreement spelling out these 
requirements. 

SAMHSA is adopting its proposal regarding the research exception to permit data 
protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting 
scientific research by a part 2 program or any other individual or entity that is in lawful 


possession of part 2 data if the researcher provides documentation of meeting certain 
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requirements related to other existing protections for human research. If an entity meets the 
requirements of an “other lawful holder of patient identifying information,” as described in the 
preamble of this final rule, the entity would be authorized to disclose part 2 data for research 
purposes in accordance with § 2.52. 


Public Comments: 





Another commenter asked a series of questions related to the release of data by lawful 
holders that are not part 2 programs (e.g., HIEs). The commenter asked how these HIEs, third- 
party payers, etc., will be able to determine that a researcher will maintain the confidential 
patient identifying information in accordance with the security requirements set out in 
§ 2.52(a)(2); how will the "lawful holders" be able to assess whether the potential benefits of the 
research outweighs any risks to confidentiality as required by § 2.52(a)(3); and what individual 
at these various "lawful holders" will be the equivalent of a part 2 program director and have the 
authority to make these decisions. The commenter stated that it is almost certain that these 
"lawful holders" will not sufficiently know the confidentiality regulations so as to ensure the 
researchers are aware of, and will comply with the prohibition against re-disclosure specified in 
§ 2.52(b). 


SAMHSA Response: 





SAMHSA examined the existing regulations that protect human subjects in research and 
concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality 
protections consistent with the statute, while providing the expanded authority for disclosing 
patient identifying information. Requirements that ensure compliance with HIPAA and the 
Common Rule (e.g., IRB and/or privacy board review) with respect to research provide these 


assurances, including that the researcher has a plan to protect and destroy identifiers and to not 
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re-disclose the information in an unauthorized manner. The individual who would make the 
determination to disclose part 2 data on behalf of a part 2 program or other lawful holder would 
be the individual designated as director or managing director, or individual otherwise vested with 
authority to act as chief executive officer or their designee. In addition, there is nothing in the 
regulation that requires this individual to disclose the data, even if the researcher provides 
documentation of compliance with the requirements under § 2.52. 


Public Comments: 





A commenter stated that the proposed rule adopted an overly narrow approach to 
disclosures for scientific research, by limiting part 2 disclosures only to entities or individuals 
subject to the HIPAA Privacy Rule or the HHS Common Rule. The commenter stated that 
because the commenter is not a HIPAA covered entity or business associate under HIPAA, and 
is not currently subject to the Common Rule, the commenter does not appear to meet the 
conditions required for disclosure for scientific research. The commenter stated that limiting 
disclosures for research purposes only to entities or individuals subject to the HIPAA Privacy 
Rule and/or Common Rule is inconsistent with the language and intent of the governing statute, 
which broadly authorizes disclosures to qualified personnel for the purposes of conducting 
scientific research." (42 U.S.C. 290dd-2(b)(2)(B)). The commenter urged SAMHSA to interpret 
research broadly to include state analytic activities to identify patterns and variations in the cost, 
quality and delivery of health care, similar to the approach adopted by CMS for the release of 
CMS claims/encounter data to state agencies. 


SAMHSA Response: 





The revised research exception will now permit data protected by 42 CFR part 2 to be 


disclosed for research purposes by part 2 programs and other lawful holders of patient identifying 
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information not just by part 2 program directors as the 1987 final rule regulations require. 
Because SAMHSA is expanding the authority for disclosing patient identifying information 
beyond part 2 program directors, it was necessary to establish a mechanism to ensure that 
confidentiality protections consistent with the statute were fulfilled in all cases. SAMHSA 
determined that the existing regulations that protect human subjects in research would 
accomplish this, and, therefore, decided to limit the permitted disclosures for research purposes 
under part 2 to instances in which the researchers would meet the requirements governing their 
receipt of protected health information from a covered entity under the HIPAA privacy rule 
and/or the requirements governing research on human subjects under the HHS Common Rule. 
Under this expanded authority, the HIPAA standards would be applied as a test regardless of 
whether the data source for the disclosure was a HIPAA covered entity. 

Under 42 CFR part 2, the research provision provides clear policies on conducting 
research and protecting the confidentiality of patient identifying information, including their 
obligations to comply with requirements under 42 CFR 2.16, Security for Records. 


Public Comments: 





A commenter stated that SAMHSA, in coordination with state regulators, should work 
together to issue guidance related to the application of the federal part 2 requirements to 
substance use disorder information that may be requested by states for public health and other 
purposes. 


SAMHSA Response: 





The statute authorizing part 2 contains specific limited exceptions to the consent 
requirement, and making a change to exempt states from this requirement, under certain 


conditions, would be inconsistent with the statutory scheme. 
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Public Comments: 





One commenter stated that the expansion of the disclosure of patient identifying 
information should be limited to CMS and/or state governmental agencies that have authority 
over substance use disorder treatment services. The commenter stated that an unintended 
consequence of implementing the potential of wide-spread disclosure of previously protected 
information is that the protections the confidentiality regulations afforded patients will be 
eviscerated as essentially all the recipients of protected information, for the last 40 years will no 
longer be bound by the prohibition of re-disclosure, subjecting the patient's information to re- 
disclosure, without the patient's consent, to any individual or entity representing that they are 
conducting scientific research. The commenter argued that SAMHSA should limit the number of 
entities who can release patient identifying information to those who actually have the resources 
to verify that such disclosure to a researcher is for a valid research purpose; can ensure proper 
research protections are in place; and affirm the patient will not be more vulnerable as a result of 
the disclosure. The vast majority of lawful holders cannot adequately perform this analysis and 


therefore cannot protect the patient's interest as required under the part 2 regulations. 





SAMHSA Response: 

SAMHSA declines to narrow the scope of the research provision as suggested. In 
developing the proposed rule, SAMHSA examined the existing regulations that protect human 
subjects in research and concluded that, if those requirements were fulfilled, 42 CFR part 2 
would ensure confidentiality protections consistent with the statute, while providing the 
expanded authority for disclosing patient identifying information. Specifically, IRBs determine 
that, when appropriate, there are adequate provisions to protect the privacy of subjects and to 


maintain the confidentiality of data before approving the research (45 CFR 46.111(a)(7)). 
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SAMHSA is interested in affording patients protected by 42 CFR part 2 the same opportunity to 
benefit from advanced research protocols while continuing to safeguard their privacy, and 
narrowing the scope of lawful holders that may disclose part 2 data for research purposes, as 
suggested by the commenter would limit the ability of patients to benefit from these research 
efforts. 


Public Comments: 





Other commenters expressed concern about the expanded research exception. A 
commenter stated that the proposed provision would create a wide opportunity for data sharing 
with increased risk of adverse impact. Similarly, a commenter warned that the research 
exception revision poses unnecessary risk of data breach of patient’s confidentiality. 

SAMHSA received a large number of comments, particularly from researchers, 
expressing support for the revised research provision. These commenters expressed concern that, 
without this revised provision, researchers’ access to substance use disorder-related data in 
Medicare and Medicaid claims/encounter databases would be limited to instances in which 
consent could be obtained. A number of commenters cited a study by K. Rough et al. published 


in the March 15, 2016, issue of the Journal of the American Medical Association that found the 





exclusion of part 2 data from Medicare and Medicaid claims/encounter data in research contexts 
coincided with decreases in the rates of diagnoses for certain conditions commonly co-occurring 
with substance use disorder. Commenters reiterated a point made in the article that 
underestimating diagnoses has the potential to bias health services research studies and 
epidemiological analyses. Some commenters also stated that implementing appropriate data 
safeguards can protect patient privacy while still allowing researchers access to critical data. 


SAMHSA Response: 
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SAMHSA agrees with the commenters’ assertions regarding how the exclusion of this 
substance use disorder data hampers vital public health research, particularly in light of the 
growing national opioid epidemic and is finalizing the research data access proposal in the final 
rule. 

With respect to concerns about privacy and the expansion of the research exception, SAMHSA 
clarifies that the research exception is intended to permit data protected by 42 CFR part 2 to be 
disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 
program or any other individual or entity that is in lawful possession of part 2 data (lawful holder 
of part 2 data) 

. The research provision (§ 2.52(b)) already includes a requirement that the researcher receiving 
the part 2 data is fully bound by 42 CFR part 2. Although not required by § 2.52, the regulation 
would permit any lawful holder of patient identifying information to require a researcher to sign 
a data use agreement spelling out these requirements. Lawful holders of patient identifying 
information may disclose part 2 data without patient consent for research purposes only under 
the specified circumstances under the research provision. 


Public Comments: 





A commenter requested clarification as to whether “lawful holders” may disclose part 2 
data to third parties to conduct research or whether the “lawful holder” has to conduct the 
research itself. 

Citing the HIPAA tracking criteria for disclosures outside the entity pursuant to a waiver 
of authorization, another commenter asked SAMHSA to clarify what tracking requirements 


would apply to disclosure of part 2 data for purposes of research. This commenter also asked 
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SAMHSA to clarify whether disclosure for purposes of research means sharing the data with 
anyone for research purposes or only applies when part 2 data is shared with an outside entity. 


SAMHSA Response: 





The research provision permits part 2 programs and other lawful holders of patient 
identifying information to disclose data protected by 42 CFR part 2 to qualified personnel for the 
purpose of conducting scientific research if the researcher provides documentation of meeting 
certain requirements related to other existing protections for human research. “Qualified 
personnel” is a statutory term and SAMHSA has clarified that this term includes those 
individuals who meet the requirements specified in the research provision to receive part 2 data 
for the purpose of conducting scientific research. 

The proposed rule did not include a tracking requirement for information disclosed under 
the research exception and so we are declining to include such a requirement in the final rule. 


Public Comments: 





Another commenter reasoned that municipalities should be able to receive and match 
patient identifying information and then use the de-identified data for planning and analysis 
purposes (e.g., determining how many criminal justice-involved defendants have a previous 
history of substance use disorder treatment). 


SAMHSA Response: 





SAMHSA declines to make the recommended expansion to the research provision. 
SAMHSA is revising the research exception to permit data protected by 42 CFR part 2 to be 
disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 
program or any other individual or entity that is in lawful possession of part 2 data (lawful holder 


of part 2 data).“Qualified personnel” is a statutory term and SAMHSA has clarified that this term 
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includes those individuals who meet the requirements specified in the research provision to 
receive part 2 data for the purpose of conducting scientific research. This term would not 
preclude researchers from conducting such research efforts on behalf of a municipality. 
However, part 2 prohibits researchers from re-disclosing patient identifying information except 
back to the individual or entity from whom that patient identifying information was obtained or 
as permitted under § 2.52(c) of this section, and permits researchers to include part 2 data in 
reports only in aggregate form in which patient identifying information has been rendered non- 
identifiable such that the information cannot be re-identified and serve as an unauthorized means 
to identify a patient, directly or indirectly, as having or having had a substance use disorder. 


Public Comments: 





A commenter expressed support for the strengthened proposed research provision 
whereby patient identifying information may be released only after the program director has 
determined the research recipient has obtained appropriate IRB and/or privacy board approval 
and consent. Another commenter asserted that information that is de-identified and presented in 
aggregate should be permitted to be more readily used in research. The commenter stated that 
this was another area where SAMHSA can promote greater alignment with HIPAA, which 
provides allowances for covered information that is de-identified and presented in the aggregate. 


SAMHSA Response: 





Part 2 only applies to information that would identify a patient as having or having had a 
substance use disorder. The revised research provision allows researchers to include part 2 data 
in reports only in aggregate form in which patient identifying information has been rendered non- 
identifiable such that the information cannot be re-identified and serve as an unauthorized means 


to identify a patient, directly or indirectly, as having or having had a substance use disorder. The 
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revised § 2.52 also requires researchers to maintain and destroy patient identifying information in 
accordance with the security policies and procedures established under § 2.16. SAMHSA aligned 
policy with HIPAA where possible. However, 42 CFR part 2 and its governing statute are 
separate and distinct from HIPAA, and the part 2 regulations use different terminology than used 
in HIPAA. 


Public Comments: 





A commenter requested clarification on whether data disclosed to qualified personnel 
under § 2.52 would include “identifiable information.” For example, this commenter asked why 
a name would be relevant if the data and information would be used for research. Another 
commenter stated that certain patient identifying information such as social security numbers 
should not be included, as it serves no purpose to researchers. The commenter stated that this can 
easily be mitigated by data segmentation and consent management, but until then the rule should 
be maintained in that the part 2 program director is the only individual authorized to release of 
information. 


SAMHSA Response: 





The part 2 data that may be disclosed for research purposes include patient identifying 
information, as that term is defined in § 2.11. One reason researchers would need identifiable 
information is to link part 2 data to other data sets, or for conducting data linkages. SAMHSA 
also proposed to address data linkages, which requires identifiable information, because the 
process of linking two or more streams of data opens up new research opportunities and potential 
risks. For example, the practice of requesting data linkages from other data sources to study the 
longitudinal effects of treatment is becoming widespread. SAMHSA is interested in affording 


patients protected by 42 CFR part 2 the same opportunity to benefit from these advanced 
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research protocols while continuing to safeguard their privacy. Likewise, SAMHSA revised the 
research provision to enable part 2 data to be disclosed for research purposes by part 2 programs 
and other lawful holders of patient identifying information so that patients may benefit from the 
additional scientific research that will be conducted and that will facilitate continual quality 
improvement of part 2 programs and the important services they offer. This additional research 
would not be able to be conducted if SAMHSA were to continue to maintain the existing part 2 
research provision, as suggested. 


2. Suggestions for Improvement of the Research Provisions 





Public Comments: 





Some commenters made suggestions to improve privacy protections as it relates to 
research. A commenter suggested that the research provision require a certificate of 
confidentiality as a prerequisite to researcher access to part 2 information. 


SAMHSA Response: 





The research provision (§ 2.52(b)) already includes a requirement that the researcher 
receiving the part 2 data is fully bound by 42 CFR part 2. Although not required by § 2.52, the 
regulation would permit any lawful holder of patient identifying information to require a 
researcher sign a data use agreement spelling out these requirements. 

According to NIH, certificates of confidentiality do not take the place of good data 
security or clear policies and procedures for data protection, which are essential to the protection 
of research participants’ privacy. Under 42 CFR part 2, the research provision provides clear 
policies on conducting research and protecting the confidentiality of patient identifying 
information, including their obligations to comply with requirements under 42 CFR 2.16, 


Security for Records. 
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Public Comments: 





A commenter concluded that the number of entities who could release patient identifying 
information should be limited to those who have the resources to verify the research is valid and 
the patient will not become more vulnerable as result of disclosure. A commenter suggested that 
strict policies be in place at all levels of research organizations to assure that prohibited re- 
disclosure of patient information does not occur. A commenter asserted that aligning part 2’s 
requirements for a valid written consent with those applicable under the HIPAA Privacy Rule 
would avoid confusion. One commenter suggested that the filing of conflict of interest 
statements by the primary investigators and co-investigators be required. A commenter suggested 
a change in language to clarify that researchers will resist any judicial demand for access to 
patient records, except as permitted by these regulations. 


SAMHSA Response: 





SAMHSA examined the existing regulations that protect human subjects in research and 
concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality 
protections consistent with the statute, while providing the expanded authority for disclosing 
patient identifying information. Requirements that ensure compliance with HIPAA and the 
Common Rule (e.g., IRB and/or privacy board review) with respect to research provide these 
assurances, including that the researcher has a plan to protect and destroy identifiers and to not 
re-disclose the information in an unauthorized manner. Disclosure of part 2 data also would be 
allowable for research that qualifies for exemption under the Common Rule due to the lower risk 
to subjects in the circumstances where exemptions apply, and this has been clarified in § 
2.52(a)(2). The individual who would make the determination to disclose part 2 data on behalf of 


a part 2 program or other lawful holder would be the individual designated as director or 
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managing director, or an individual otherwise vested with authority to act as chief executive 
officer or their designee. In addition, there is nothing in the regulation that requires this 
individual to disclose the data, even if the researcher provides documentation of compliance with 
the requirements under § 2.52. 

SAMHSA declines to make the recommended change regarding conflicts of interest to 
the research section (§ 2.52). The revised research provision requires reviews, either by an IRB 
and/or privacy board, for the specific purpose of minimizing risk to patients and their privacy. 
The research provision also requires researchers requesting data linkages, as described in 
§ 2.52(c), to have the request reviewed and approved by an IRB registered with the Department 
of Health and Human Services, Office for Human Research Protections in accordance with 45 
CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is 
justified. In addition, HHS has issued subregulatory guidance that, to the extent financial 
interests may affect the rights and welfare of human subjects in research, IRBs, institutions, and 
investigators need to consider what actions regarding financial interests may be necessary to 
protect those subjects. 

SAMHSA proposed to require any individual or entity conducting scientific research 
using patient identifying information to meet additional requirements to ensure compliance with 
confidentiality provisions under part 2. Among these are a provision (§2.52(b)(1)) that “requires 
researchers to be fully bound by these regulations and, if necessary, to resist in judicial 
proceedings any efforts to obtain access to patient records except as permitted by these 
regulations.” 


Public Comments: 
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Another commenter suggested that the rule allow an extended disclosure period specific 
to research that could be included in the initial disclosure approval. 


SAMHSA Response: 





The part 2 regulations do not specify a disclosure period in the research provision. 


Public Comments: 





A commenter said that it would bring clarity and aid entities seeking to comply with the 
proposed rule if it included a definition of "repository" and of "scientific research." The 
commenter stated that the HHS Common Rule provisions, referenced repeatedly in the proposed 
rule, apply only to activities which meet the definition of research involving human subjects. It is 
not clear whether SAMHSA intends to adopt Common Rule definitions or create a separate 
scheme. 


SAMHSA Response: 





SAMHSA did not propose a regulatory definition for these terms in the NPRM and 
respectfully declines to define the terms in the final rule as suggested. “Scientific research” is a 
statutory term that is not defined. Researchers requesting part 2 data for the purposes of 
conducting scientific research and whose research is subject to the Common Rule would need to 
comply with requirements for the Common Rule as well as those of part 2. SAMHSA refers to 
the term “repository” in the context of the data linkages provision, and intended the term to 
broadly refer to data that is stored and managed. SAMHSA may address undefined terms that 
require further elaboration in subregulatory guidance or in subsequent rulemaking. 


Public Comments: 
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One commenter supported provisions that allow states to work with outside entities, 
which are HIPAA and Common Rule compliant, to conduct research that will improve care and 
drive quality outcomes for Medicaid beneficiaries with a substance use disorder. 


SAMHSA Response: 





SAMHSA supports the efforts of part 2 stakeholders to work together collaboratively and 
in compliance with the law. Part 2 prohibits researchers from re-disclosing patient identifying 
information except back to the individual or entity from whom that patient identifying 
information was obtained or as permitted under the data linkages provision. Researchers may 
include part 2 data in reports only in aggregate form in which patient identifying information has 
been rendered non-identifiable such that the information cannot be re-identified and serve as an 
unauthorized means to identify a patient, directly or indirectly, as having or having had a 
substance use disorder. 


3. HIPAA and HHS Common Rule Requirements 





Public Comments: 





Many commenters expressed support for aligning requirements for disclosure of 
information for conducting research with existing requirements for research as regulated by the 
HHS Common Rule (45 CFR part 46). A commenter remarked that an alternate approach would 
be to create a single category of consent for research purposes. 


SAMHSA Response: 





In this part 2 final rule, SAMHSA has implemented certain revisions that are predicated 
on the current version of the Common Rule (45 CFR part 46, Protection of Human Subjects, 
promulgated in 1991). Should conflicting policies be created in the future, SAMHSA will take 


appropriate action (e.g., issue an NPRM or technical correction). With respect to creating a 


188 


single category of consent for research, the existing consent requirements permit patient consent 
for the disclosure of patient identifying information for the purpose of scientific research. 


4. Data Linkages 





SAMHSA revised § 2.52 from the proposed regulatory text by separating out the data 
linkages provisions into its own paragraph, § 2.52(c) for purposes of clarity and readability. In 
addition, the final § 2.52 addresses data linkages to enable researchers holding part 2 data to link 
to data sets from federal and non-federal data repositories as explained in greater detail below. 
SAMHSA proposed to permit researchers to request to link data sets that include patient 
identifying information under certain conditions. We proposed to limit the data repositories from 
which a researcher may request data for data linkages purposes to federal data repositories 
because federal agencies that maintain data repositories have policies and procedures in place to 
protect the security and confidentiality of the patient identifying information that must be 
submitted by a researcher in order to link the data sets. SAMHSA sought input from the public 
regarding whether to expand the data linkages provision beyond federal data repositories; what 
confidentiality, privacy, and security safeguards are in place for those non-federal data 
repositories; and whether those safeguards are sufficient to protect the security and 
confidentiality of the patient identifying information. 


Public Comments: 





Several commenters suggested that researchers be allowed to perform data linkages 
between data sets containing substance use disorder data. However, some warned that the 
proposed rule was unclear regarding data linkages. One commenter said SAMHSA should 
clarify that researchers have the option to submit data to a federal data repository, like CMS, for 


linking of federal data, but are not required to do so. Other commenters argued that proposed 
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§ 2.52 should explicitly allow researchers to perform their own data linkages between data sets 
containing substance use disorder records. A commenter asserted that non-profit entities who 
engage in research should be distinct from for-profit organizations and that for-profit 
organizations should not be allowed access to large linked data sets. 

Many commenters expressed support for permitting linkage with non-federal repositories 
where adequate, flexible safeguards are in place to protect the security and confidentiality of part 
2 data. A commenter asserted that only allowing researchers to combine 42 CFR part 2 records 
received without patient consent with records from a federal repository is not consistent with the 
goal of enhancing research conducted with data protected by part 2. In particular, commenters 
pointed out that many state, local, tribal, and corporate data repositories with hospital emergency 
department and discharge, trauma registry, and birth and death records would not be covered by 
the federal data linkages language in the proposed rule, thereby hampering important research 
and evaluation activities. Additionally, commenters supported the expansion of data linkages in 
order to better support the analysis required by evolving health care delivery and payment 
models, such as Accountable Care Organizations. 

Commenters urged that appropriate privacy and security protections are in place, to include 
physical security and disposition of data if SAMHSA permits linkages to non-federal data 
repositories. One commenter remarked that protections imposed by federal repositories that are 
not imposed by other repositories should be identified and considered as requirements, so as not 
to lose the insight offered through additional linkage opportunities. Another suggested 
implementation of data use agreement language to non-federal repositories. A commenter 
reasoned IRBs or privacy officers could ensure other repositories are in compliance with part 2 


requirements. 
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However, a few commenters did not support expansion of data linkage to non-federal 
repositories. Some commenters expressed concerns about the security of data in both federal and non- 
federal data repositories citing examples of healthcare data breaches. One commenter concluded data 
linkage to any data repositories be withdrawn from the proposed language citing the federal 
agencies as well as health care data repositories inability to adequately safeguard personal 
information. Another commenter suggested data repositories performing the data linkages, if 
outside of part 2 entity, not be given information subject to part 2. 


SAMHSA Response: 





SAMHSA would like to clarify that the data linkages provision is not intended to prohibit 
a researcher from linking a data set in the researcher’s possession that contains part 2 data with a 
data set from a third party source, so long as the part 2 data is not further disclosed in the data 
linkage process and the researcher adheres to any applicable confidentiality, privacy, and security 
requirements and safeguards. Regarding the comment on for-profit organizations, whether the 
researcher is a for-profit or not-for-profit organization, the researcher would be required to have 
IRB approval and/or privacy board review of their research, and, additionally, IRB approval of 
the research project that contains the data linkage component, to ensure risks to the patient and 
their privacy are minimized. In addition, part 2 prohibits researchers from re-disclosing patient 
identifying information except back to the individual or entity from whom that patient 
identifying information was obtained or as permitted under the data linkages provision. 
Researchers may include part 2 data in reports only in aggregate form in which patient 
identifying information has been rendered non-identifiable such that the information cannot be 
re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as 


having or having had a substance use disorder. 
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In response to public comments, SAMHSA has decided in the final rule to permit data 
linkages to both federal and non-federal data repositories subject to the conditions explained 
below. SAMHSA believes that these changes will enhance research while still ensuring the 
protection of part 2 patient identifying information. SAMHSA agrees with commenters that 
many non-federal data repositories, as well as federal data repositories, contain data that is 
critical to research and, therefore, SAMHSA is expanding data linkages provisions. 

In the data linkages provision of this final rule (§ 2.52(c)), SAMHSA revises its proposal 
to enable researchers holding part 2 data to link to data sets from any repository, including non- 
federal repositories, provided that the linkage has been reviewed and approved by an Institutional 
Review Board registered with the Department of Health and Human Services, Office for Human 
Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is 
considered and the need for identifiable data is justified. In addition to having the request 
reviewed and approved by an IRB, the researcher must ensure that patient identifying 
information obtained under the rule’s research provisions is not provided to law enforcement 
agencies or officials. SAMHSA states in the final rule that the data repository is fully bound by 
the provisions of part 2 upon receipt of the patient identifying data and must, after providing the 
researcher with the linked data, destroy or delete the linked data from its records, including 
sanitizing any associated hard copy or electronic media, to render the patient identifying 
information non-retrievable in a manner consistent with the policies and procedures established 
under § 2.16 Security for records. In addition, the data repository must ensure that any data 
obtained pursuant to part 2’s research provisions is not provided to law enforcement agencies or 
officials. 


Public Comments: 
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One commenter recommended that SAMHSA expand data linkages beyond research 
to the broader need for it to be inclusive of coordinated care. The commenter stated that this is 
another area where SAMHSA could look to existing HIPAA provisions and align the part 2 
provisions accordingly. 


SAMHSA Response: 





SAMHSA declines to make the revision suggested by the commenter. The transfer of part 
2 information for the purposes of research, as allowed under § 2.52, is an exception to patient 
consent, and, therefore, the data linkages provision cannot be expanded to other parts of the 
regulation. Because of its targeted population, part 2 provides more stringent federal protections 
than most other health privacy laws, including HIPAA. However, SAMHSA aligned policy with 


HIPAA where possible. 





5. Multi-Payer Claims Database 


Public Comments: 





Many commenters urged the final rule to explicitly include a statement on the authority 
granted to MPCDs (also referred to as APCDs) that maintain adequate safeguards to collect, link, 
and disseminate substance use disorder records without patient consent for research purposes. 
Several commenters argued that many states have established state-sponsored MPCD systems 
and urged the proposed rule to specifically ensure substance use disorder data are not 
systematically excluded from state MPCD systems, allowing part 2 data to be collected, linked, 
and disseminated without patient consent for research purposes. A commenter requested specific 
guidance as to whether MPCDs could be lawful holders of part 2 data with the same disclosure 
requirements as those for HIEs. A commenter stated that the rule should authorize state data 


repositories such as an MPCD to link part 2 data to other data for research purposes. 
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SAMHSA Response: 





For an MPCD or any entity to disclose part 2 data for research purposes under the rule’s 
research exception to consent requirements (§ 2.52), the entity must be a “lawful holder of 
patient identifying information.” Under the research provision, any lawful holder of part 2 data 
may disclose the data to qualified researchers that meet the requirements under the HHS 
Common Rule or HIPAA Privacy Rule. As SAMHSA discussed in the NPRM preamble, a 
“lawful holder” of patient identifying information is an individual or entity who has received 
such information in accordance with the part 2 requirements, and, therefore, is bound by 42 CFR 
part 2. Examples of potential “lawful holders” of patient identifying information include a 
patient’s treating provider, a hospital emergency room, an insurance company, an individual or 
entity performing an audit or evaluation, or an individual or entity conducting scientific research. 
As permitted by the authorizing statute and under these regulations, any lawful holder of patient 
identifying information may disclose part 2 data without patient consent for research purposes 
under the circumstances specified under the research provision. 

Regarding the specific scenario raised by commenters, SAMHSA wishes to clarify that 
MPCDs and other data intermediaries are permitted to obtain part 2 data under the research 
exception provided in § 2.52, provided that the conditions of the research exception are met. 
Furthermore, an MPCD or data intermediary that obtains part 2 data in this fashion would be 
considered a “lawful holder” under these final regulations and would therefore be permitted to 
redisclose part 2 data for research purposes, subject to the other conditions imposed under § 2.52. 
The final rule edits the language under paragraph 2.52(a) to clarify that the regulations do not 


prohibit such a disclosure. 
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Except as provided in paragraph 2.52(c), a researcher may not redisclose patient 
identifying information for data linkages purposes. SAMHSA’s data linkages provision permits 
researchers to request to link data sets that include patient identifying information if the data 
linkages component is reviewed and approved by an IRB registered with OHRP in accordance 
with 45 CFR part 46 and certain other conditions are met. The data linkages provision is not 
intended to prohibit a researcher from linking a data set in the researcher’s possession that 
contains part 2 data with a data set from a third-party source, so long as the part 2 data is not 
further disclosed in the data linkage process and any applicable confidentiality, privacy, and 
other conditions as specified in this rule are adhered to. 

O. Audit and Evaluation (§ 2.53) 

SAMHSA is modifying the proposed language as discussed below. SAMHSA has revised 
the section heading by deleting the word “activities.” SAMHSA modernized this section to 
include provisions governing both paper and electronic patient records. In addition, we revised 
the requirements for destroying patient identifying information by citing the expanded Security 
for Records section (§ 2.16). Furthermore, we updated the Medicare or Medicaid audit or 
evaluation paragraph title to include Children's Health Insurance Program (CHIP) and, in 
subsequent language, refer to Medicare, Medicaid, and CHIP. 

The § 2.53 revisions permit the part 2 program, not just the part 2 program director, to 
determine who is qualified to conduct an audit or evaluation of the part 2 program. The revised 
language also permits an audit or evaluation necessary to meet the requirements of a CMS- 
regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE), under 
certain conditions, by better aligning the criteria in this section with those set forth in the 


Affordable Care Act (regulating ACOs, in part, at 42 U.S.C. 1395jjj). We have specified that 
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such ACO or similar CMS-regulated entities must have in place administrative and/or clinical 
systems. While the NPRM indicated both types of systems were required, it has been noted that 
some ACO or similar CMS-regulated entities will not have both clinical and administrative 
systems. We also have clarified in the final rule that the ACO or similar CMS-regulated 
organization (including a CMS-regulated QE) is subject to periodic evaluations by, or receives 
patient identifying information from, CMS or its agents. To ensure that patient identifying 
information is protected, the ACO or similar CMS-regulated organization (including a CMS- 
regulated QE) that is the subject of, or is conducting, the audit or evaluation must have a signed 
Participation Agreement with CMS or similar documentation that demonstrates that the 
organization and its auditors or evaluators must conduct the audit and evaluation activities in full 
compliance with all applicable provisions of 42 U.S.C. 290dd-2 and 42 CFR part 2. 


Public Comments: 





Several commenters provided comments with regard to § 2.53, Audit and Evaluation. A 
few commenters discussed the application of this section to Medicare and Medicaid. A couple of 
commenters recommended clarifying that Medicaid agencies are permitted under the QSO 
exception to disclose part 2 information to third-party payers for audit or evaluation purposes. 
These commenters also suggested that Medicaid and other third-party payers may use (third- 
party) contractors and vendors to assist beneficiaries and perform such activities as program 
integrity activities. The commenters argued that the QSO exception described above should 
include communications between third-party payers such as Medicaid agencies and other holders 
of part 2 data and QSOs to help ensure “operational efficiency.” Another commenter suggested 
that the revisions concerning the auditing process and Participation Agreements would be too 


burdensome, and would be inconsistently applied because Medicare and Medicaid do not have to 
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comply with the auditing requirements, whereas providers do. Further, a couple of commenters 
stated that part 2 programs would be confused in attempting to decipher which organizations 
have Participating Agreements with CMS in place, further exacerbating the existing compliance 
issues with part 2. A commenter requested that SAMHSA clarify whether Medicaid program 
ACOs and external quality review organizations (EQRO) are considered “CMS-regulated” for 
the purposes of permitted disclosures. The commenter suggested that Medicaid program entities 


should be considered CMS-regulated entities. 





SAMHSA Response: 

A QSO is an individual or entity that provides a service to a part 2 program consistent 
with a QSOA (see §§ 2.11, Definitions; 2.12(c)(4), Applicability). A QSOA is a two-way 
agreement between a part 2 program and the individual or entity providing the desired 
service. Therefore, to be a QSO, the contracted entity must be providing the service to a part 2 
program. The QSOA authorizes communication only between the part 2 program and QSO. 
Third-party payers, such as Medicaid, are not considered part 2 programs as defined in this rule, 
and are not eligible to have QSO through a QSOA. That said, comments to the proposed rule 
raised questions that indicate that there may be varying interpretations of the current (1987) part 
2 rule’s restrictions regarding the use of contractors/subcontractors in contexts other than the 
QSO context, such as the sharing of part 2 information by third-party payers with contractors and 
subcontractors to carry out activities related to audit and evaluation and program integrity, and 
we intend to address such scenarios with greater clarity in an SNPRM.. As stated under 
§ 2.12(a)(1), Restrictions on disclosures, the restrictions on disclosures in these regulations apply 
to any information, whether recorded or not, which would identify a patient as having or having 


had a substance use disorder either directly, by reference to publicly available information, or 
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through verification of such information by another person. Patient identifying information that 
has been rendered non-identifiable in a manner that creates a very low risk of re-identification 
may be disclosed. 

With regard to the concern that the proposed revisions to § 2.53 would be burdensome 
and create confusion when part 2 programs have to determine who has a Participation Agreement 
or similar documentation in place, CMS-regulated entities that, among other requirements, are 
subject to periodic evaluations by CMS or its agents, or are required by CMS to evaluate 
participants in the ACO or similar CMS-regulated organization (including a CMS-regulated QE) 
relative to CMS-defined or approved quality and/or cost measures should be able to produce 
evidence that they have Participation Agreements or similar documentation in place with CMS 
if requested by a part 2 program. 

As to whether Medicaid program ACOs and EQROs are considered “CMS-regulated,” 
this rule explicitly states that ACOs and similar organizations regulated by CMS may, subject to 
certain conditions, disclose or require participants in the organization to disclose part 2-covered 
information in order for the organization to meet CMS audit and evaluation requirements. Other 
entities may also be considered “CMS-regulated” depending on the particular circumstances, for 
example, as a result of their direct supervision by CMS, the establishment by CMS of regulations 
governing their conduct or qualification, or, in the case of Medicaid and CHIP-related entities, 
CMS’ approval of state plans or waivers and supervision of the state agencies. Medicaid program 
ACOs and EQROs do fit within the entities covered by the audit and evaluation provisions of the 
part 2 program. SAMHSA may further elaborate on this topic in subregulatory guidance issued 
following the publication of the final rule. 


Public Comments: 





198 


A few commenters provided input on SAMHSA’s proposal to permit audit or evaluation 
necessary to meet the requirements of a CMS-regulated ACO or similar CMS-regulated 
organization (including a CMS-regulated QE), under certain conditions. A couple of commenters 
recommended that SAMHSA modify part 2 to permit CMS to provide all claims with substance 
use disorder treatment information through the Claim and Claim Line Feed (CCLF) file so 
patients can receive comprehensive, quality treatment and programs can operate more efficiently 
and effectively. The commenters suggested that because 42 U.S.C. 290dd-2(b)(2)(B) permits 
substance use disorder treatment program to disclose treatment records without the consent of 
the patient for the purpose of audits or evaluation; § 2.53 of the proposed rule also permits 
substance use disorder treatment programs to disclose treatment records to ACOs or other CMS- 
regulated organizations to allow the organizations to meet CMS’s audit and evaluation 
requirements for participation; therefore the provision could be expanded, or clarified, to also 
permit CMS to disclose substance use disorder treatment information to ACOs and bundled 
payment participants for audit and evaluation activities. Another commenter expressed concern 
about the expansion of the part 2 audit and evaluation exception to include ACOs, because ACOs 
are continually “auditing” programs as a continual process of evaluating and monitoring and part 
2’s language makes clear that an audit or evaluation is a time-limited activity that is not intended 
to permit ongoing access to program records. This commenter asserted that the part 2 audit and 
evaluation exception should not be allowed to result in a practice that circumvents the need to 
obtain a patient’s consent to access their information. 

One commenter noted that CMS’s application of part 2 in its removal of substance use 
disorder treatment information from the monthly CCLF, in which CMS redacts any claim 


submitted by any provider where a substance use disorder is either the principal or secondary 
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diagnosis, causes CMS to remove claims from the CCLF file that are not produced by federally 
assisted substance use disorder treatment programs. The commenter urged SAMHSA to work 
with CMS to develop a pathway to include substance use disorder treatment information in the 
CCLF data file. 


SAMHSA Response: 





CMS may disclose patient identifying information to a CMS-regulated ACO or similar 
CMS-regulated organization (including a CMS-regulated QE) for Medicare audit and evaluation 
purposes pursuant to § 2.53(c), which provides that “[p]atient identifying information, as defined 
in § 2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the 
purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation....”” Neither the statute 
nor the part 2 regulations define audit or evaluation. However, under this section of the audit and 
evaluation exception, the purpose of the disclosure must be to conduct a Medicare, Medicaid, or 
CHIP audit or evaluation. This may include audit or evaluation activities, such as reviews of 
financial performance or the quality of health care services delivered, undertaken by the CMS- 
regulated organization itself to review its own performance. The exception does not cover any 
activities conducted by ACOs that may not be reasonably construed as being related to such a 
purpose. 


Public Comments: 





Commenters provided other recommendations related to this section. A commenter 
suggested that § 2.53(d) should be revised to permit disclosure of patient information to entities 
that have administrative control over auditors. Another commenter suggested that SAMHSA 
consider allowing “lawful holders” the ability to share information for audit and evaluation 


services, with the agreement that the service provider must adhere to part 2. 
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Another commenter recommended that SAMHSA convene a group of state, local, and 
provider representatives to develop draft guidance. 


SAMHSA Response: 





Regarding the suggestion that § 2.53(d) should be revised to permit disclosure of patient 
information to entities that have administrative control over auditors, except as provided in 
§ 2.53(c), patient identifying information disclosed under this section may be disclosed only 
back to the program from which it was obtained and used only to carry out an audit or evaluation 
purpose or to investigate or prosecute criminal or other activities, as authorized by a court order 
entered under § 2.66. 

As recommended by a commenter, SAMHSA plans to develop and publish subregulatory 
guidance regarding the application of § 2.53 audit and evaluation disclosures after publication of 
this final rule. 

P. Other Public Comments on the Proposed Rule 


1. Requests to Extend the Public Comment Period 





Public Comments: 





Several commenters requested extension to the public comment period. Commenters 
stated the complexity and importance of the rule warranted additional time for reflection and 
comment. A few commenters requested that the comment period be extended for one year to 
allow for a more open process. A couple of commenters suggested that in addition to extending 
the comment period for one year, public hearings also be held across the county. 


SAMHSA Response: 





While SAMHSA recognizes that the issues addressed in the part 2 NPRM are complex 


and important, we concluded that the 60-day comment period was sufficient to provide the 
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public a meaningful opportunity to comment, and this conclusion is supported by the hundreds of 
complex and thoughtful comments received. Additionally, the NPRM was available to the 


public for a preliminary review on the Federal Register Web site upon submission of the NPRM 





to the Federal Register, which was several days prior to publication, thereby providing 





stakeholders additional time prior to the publication date. Finally, on June 11, 2014, SAMHSA 
held a public listening session and, invited through a Federal Register notice, general comments, 


as well as comments on six key provisions of 42 CFR part 2. 





2. Rulemaking Process 


Public Comments: 





One commenter expressed concern that SAMHSA did not summarize or address specific 
comments from stakeholders who participated in the public listening sessions. 

Another commenter said that the part 2 changes should move forward but should be 
monitored and modified accordingly over the next two to three years. 


SAMHSA Response: 





SAMHSA will undertake further rulemaking as necessary and intends to respond to 
issues raised with respect to the part 2 regulations, as they have in the past, through 
subregulatory guidance. 

SAMHSA considered all comments received in the June 2014 public Listening Session 
on the part 2 regulations. As explained in the NPRM, feedback from the Listening Session was 
considered and helped to inform the development of the February 2016 NPRM (see 81 FR 6988, 
6993). SAMHSA posted all comments received in response to the Listening Session Federal 
Register Notice on its website: http://www.samhsa.gov/about-us/who-we-are/laws- 


regulations/public-comments-confidentiality-regulations. 
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3. Implementation Timeline and Other Barriers to Implementation 





Public Comments: 





To allay privacy concerns, a commenter said that SAMHSA should delay the proposed 
part 2 changes to further develop its Consent2Share application and encourage wider adoption. 
Similarly, a commenter recommended further testing and evaluation on IT solutions before 
issuing part 2 changes. This commenter further urged SAMHSA to address these issues in the 
final rule by specifically detailing a process for updating the Consent2Share tool so that its 
design specifications remain compatible with the rapidly advancing and very fluid EHR design 
landscape. 


SAMHSA Response: 





SAMHSA declines to accept these recommendations to delay publication of a final rule 
pending technology developments or Congressional action. Technology adoption is an ongoing 
process, and the majority of current EHR and HIE applications may not have the capability to 
support the DS4P initiative. In addition, paper records are still used today in some part 2 
programs and shared through facsimile (FAX). In addition, SAMHSA’s publication of a final 
rule would not prevent further Congressional action with respect to part 2. 


Public Comments: 





One commenter expressed concern that applying electronic data segmentation in 
conjunction with patient privacy preferences can significantly increase the complexity of the 
workflow process and have unintended consequences on system performance and response times 
at the point of care. The commenter recommended that SAMHSA, in conjunction with other 
federal agencies, advisory bodies, such as the National Committee on Vital and Health Statistics 


(NCVHS), and public and private stakeholders should convene public discussions to evaluate the 
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possibility of data segmentation standards in electronic systems, the benefits and potential 
unintended consequences that may result, along with the associated costs and anticipated 
consumer uses of such standards and processes. 

In addition to the technical challenges, a commenter said that SAMHSA should recognize 
other barriers to implementation of part 2 changes, including complexity in navigating individual 
state regulations, challenges around mapping to clinical codes, and lack of a standardized service 
discovery mechanism to ensure capability of exchanging systems to evaluate the ability to 
receive and interpret a tagged document. 


SAMHSA Response: 





SAMHSA recognizes the concerns expressed by the commenter; however, SAMHSA’s 
jurisdiction is limited to those regulations over which it has authority. We note that the part 2 
regulations permit, but do not require, data segmentation. 


4. Educational Opportunities 





Public Comments: 





Some commenters urged SAMHSA to provide trainings/webinars and technical 
assistance after the final rule is adopted so that substance use disorder providers, other health 
care providers, and patients will understand the changes to ensure compliance with the rule. 
Expressing concern that many people will not understand the idea of an HIE or a registry, one 
commenter suggested creating paid space for a nurse visit to walk a consumer through the 
consent. 

A few commenters encouraged SAMHSA to invest in provider and patient education 


efforts on the value of integrated care, the role of information sharing in enabling integrated care, 
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how the consent process works, patient rights under 42 CFR part 2, and the implications of 
providing consent to share personal health information. 

A commenter encouraged SAMHSA to continue its efforts to provide guidance as to how 
part 2’s requirements can be incorporated into HIE systems, suggesting that many of the 
perceived part 2 issues can be resolved by proper education regarding the actual requirements 
and how information can be exchanged pursuant to part 2 with little, if any, additional effort if 
proper operational practices are utilized by health care providers and management organizations. 

One commenter suggested that SAMHSA establish a consumer engagement committee or 
seek input from an existing national consumer advisory council to support part 2 programs in 
complying with certain areas of the rule, such as developing user-friendly consent forms and 
crafting educational materials for patients. One commenter suggested that SAMHSA contract 
with the Legal Action Center to create a webinar or FAQ to provide guidance to community 
health centers and other “multi-use” organizations as to the applicability of part 2. 

Another commenter recommended that SAMHSA develop educational materials targeted 
at pharmacists because of the pharmacy profession’s growing role in substance use disorder 
treatment. 


SAMHSA Response: 





SAMHSA appreciates these comments on educational opportunities and plans to address 
specific commenter requests in subregulatory guidance after the publication of the final rule. 
SAMHSA will consider additional educational activities, such as trainings, webinars, and 
establishing engagement committees, should SAMHSA determine the need during 
implementation of the final rule. 


5. Increased Enforcement 
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Public Comments: 





Some commenters urged SAMHSA to ensure that part 2 provides for meaningful 
enforcement and penalties, with a few reasoning that the rule would create new avenues for the 
exchanges of patients’ substance use disorder information, especially to other parts of the health 
care system that may have little to no experience treating substance use disorder or complying 
with part 2. One of these commenters asserted that fines imposed for part 2 violations are so 
minimal that they are not a deterrent to intentional or accidental violations. A commenter 
suggested that SAMHSA adopt the HIPAA penalties contained in the HITECH Act and specify 
that any disclosures of information in violation of this statute must be excluded from evidence 
and deemed inadmissible for use in any administrative, civil, or criminal proceeding. 

Urging SAMHSA to review and correct the enforcement concerns of the underlying 
statute, one commenter argued that the current confidentiality obligations have questionable 
enforcement authority because there is no express provision in Title 18 pertaining to the 
confidentiality of drug and alcohol treatment records. Although the original part 2 underlying 
statute set forth specific fines, the commenter explained that a subsequent revision (by Pub. L. 
102-321) eliminated the fines leaving only a reference to Title 18. Moreover, the commenter said 
that by the proposed transfer of the existing enforcement authority from FDA to SAMHSA, the 
proposed rule appears to remove enforcement authority that actually exists to a potential state of 
unenforceability. Similarly, another commenter stated that SAMHSA does not have legislative 
authority to impose penalties for disclosure. No mention of privacy law violation fines, penalties, 
or offenses exist in Title 18. Thus, the current confidentiality obligations have no enforcement 
authority. The commenter stated that entities receiving unauthorized information would likely 


not be subject to penalties unless a common law breach of privacy lawsuit is filed. 
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SAMHSA Response: 





The Department of Justice is responsible for enforcing violations of 42 CFR part 2 in 
accordance with Title 18 of the United States Code. Title 42 USC 290dd-2 provides that “[a]ny 
person who violates any provision of [the] section or any regulation issued pursuant to [the] 
section shall be fined in accordance with title 18.” Reports of violation of the regulations may be 
directed to the United States Attorney’s Office (USAO) for the judicial district in which the 
violation occurs or may be directed to SAMHSA for possible referral to the relevant USAO. A 
report of any violation of these regulations by an opioid treatment program may be directed to 
the relevant USAO as well as the SAMHSA office for opioid treatment program oversight, 
pursuant to 42 CFR part 8. 


6. Other Miscellaneous Comments on the Proposed Rule 





Public Comments: 





A commenter suggested that SAMHSA revise the title of part 2 to “Confidentiality of 
Patient Records Relevant to Substance Use Disorders and Associated Behavioral Diagnoses,” to 
ensure person-centered language is used. 


SAMHSA Response: 





To be consistent with recognized classification manuals, current diagnostic lexicon, and 
commonly used descriptive terminology, SAMHSA proposed to refer to alcohol abuse and drug 
abuse collectively as “substance use disorder,” and, for consistency, proposed to revise the title 
of 42 CFR part 2 from “Confidentiality of Alcohol and Drug Abuse Patient Records” to 
“Confidentiality of Substance Use Disorder Patient Records.” 


Public Comments: 
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Some commenters made specific suggestions or requested clarification regarding parts of 
the part 2 regulations that were not the subject of the proposed changes in the NPRM. For 
example, commenters addressed §§ 2.14 (Minor patients), 2.20 (Relationship to state laws), and 
2.21 (Relationship to federal statutes protecting research subjects against compulsory disclosure 
of their identity). 


SAMHSA Response: 





SAMHSA acknowledges commenters’ questions and suggestions relating to all aspects of 
the part 2 regulations. However, for purposes of this final rule, SAMHSA generally considered 
comments submitted on provisions for which changes were not proposed in the February 2016 
NPRM to be outside of the scope of this rulemaking. SAMHSA will take such comments and 
recommendations under advisement and may issue subregulatory guidance in the future to 
address some of these issues brought up by commenters. 


Public Comments: 





Another commenter also urged SAMHSA to work with CMS to ensure that when proper 
criteria are met, such as through a QSOA and/or a signed consent form, patient substance use 
claim information is available to ACOs through their CCLF files. Asserting that it is a major 
blind spot in the ability of an ACO to manage total care if it does not have data on substance use 
disorder data, a commenter encouraged SAMHSA to work with CMS on ways to effectively 
manage substance use disorder care within the administration of the ACO program. One 
commenter suggested that SAMHSA work with federal agencies, states, localities, and providers 
to identify the cost/burden of the rule on entities and professionals. The commenter also 


recommended that SAMHSA work with the CMS and the Office of the National Coordinator for 
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Health Information Technology (ONC) to align the rule with guidance permitting the HITECH 
enhanced funding for administrative costs to other providers. 


SAMHSA Response: 





SAMHSA will continue to work with CMS and its other federal partners to ensure the 
effective and timely implementation of the part 2 final rule. 


Public Comments: 





Because a state provides health care, including federally funded substance use disorder 
treatment programs, to inmates in the state jail system, a commenter stated that the part 2 
regulations impact the methods by which care is coordinated for inmates and urged SAMHSA to 
consider part 2’s impact on incarcerated populations. 


SAMHSA Response: 





SAMHSA considered how the regulations would impact part 2 programs and lawful 
holders of patient identifying information, as well as other stakeholders. All part 2 programs and 
other lawful holders of patient identifying information must comply with part 2. If a jail or prison 
meets the definition of a part 2 program, it would be required to comply with part 2. 


Public Comments: 





One commenter stated that there should be an option for the patient to have the ability to 
remove their substance use disorder history from their medical record after a ten-year minimum 
time period. 


SAMHSA Response: 





Although SAMHSA is not prescribing any specific retention period, the expectation is 
the both paper and electronic records would comply with applicable federal, state, and local 


retention laws. 
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Public Comments: 





A commenter requested that SAMHSA provide a description of 42 CFR part 2-covered 
entities similar to the designation under HIPAA. 


SAMHSA Response: 





SAMHSA may address applicability in subregulatory guidance or in subsequent 
rulemaking. 

VI. Rulemaking Analyses 

A. Paperwork Reduction Act 

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 
60-day notice in the FR and solicit public comment before a collection of information 
requirement is submitted to the Office of Management and Budget (OMB) for review and 
approval. We provided for this comment period as part of the NPRM. The part 2 information 
collections are approved under OMB Control No. 0930-0092, and SAMHSA will shortly submit 
the changes associated with this rule to OMB for review. 

This rule includes changes to information collection requirements, that is, reporting, 
recordkeeping or third-party disclosure requirements, as defined under the PRA (5 CEFR part 
1320). Some of the provisions involve changes from the information collections set out in the 
previous regulations. Information collection requirements are: (1) Section 2.13(d)—Disclosure: 
Requires entities named by patients using general designation under § 2.31(a)(4)(iv)(C) to 
provide a list of entities to which the patient’s information has been disclosed to participants 
pursuant to the general designation, (2) Section 2.22—Disclosure: Requires each program notify 
each patient that federal law and regulations protect the confidentiality of substance use disorder 


patient records and provide a written summary of the effect of this law and these regulations, (3) 
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Section 2.51—Recordkeeping: This provision requires the program to document a disclosure of a 
patient record to authorized medical personnel in a bona fide medical emergency as defined in 

§ 2.51. The regulation is silent on retention period for keeping these records as this will vary 
according to state laws. It is expected that these records will be kept as part of the patients’ health 
records. The major change from current (1987) regulations is the list of disclosures requirement 
at Section 2.13(d). SAMHSA proposed that entities named on a consent form that disclose 
patient identifying information to their participants under the general designation must provide 
patients, upon request, a list of entities to which their information has been disclosed pursuant to 
a general designation (i.e., list of disclosures). Impact of this provision is noted below. SAMHSA 
notes that entities are not required to use the general designation permitted under 

§ 2.31 (a)(4)Gii)(B)(3)G). 

Under the PRA, the time, effort, and financial resources necessary to meet the 
information collection requirements referenced in this section are to be considered in 
rulemaking. The NPRM solicited comments on PRA issues. Commenters did not raise concerns 
regarding the burden for information collection requirements for the recordkeeping and 
notification provisions above. Though commenters expressed concern about some aspects of the 
list of disclosures requirements, these comments did not suggest that the burden of information 
collection would increase for 42 CFR part 2-compliant entities. Indeed, one commenter noted 
that current practice for many facilities to maintain both paper and electronic records may be 
both burdensome and inefficient. By promoting use of EHRs, changes in this rule may help to 
improve efficiency for providers. Some commenters also hypothesized that complying with the 
list of disclosures requirement would require such steps as developing a tracking system; or 


manual review or audit of all records; and mailing of letters through U.S. mail. Entities should 
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already be collecting and retaining information needed to comply with the list of disclosures 
requirement. The final rule does not impose requirements to manually review all records, mail 
letters using the U.S. Postal Service or develop a tracking system specifically to comply with the 
list of disclosures provisions. For instance, we note below that entities could comply with the 
List of Disclosures requirement by either collecting this information electronically by using audit 
logs to obtain the required information or by keeping a paper record. Similarly, we point out that 
list of disclosures may be transmitted through such methods as mail or email or through other 
means preferred by the patient. We discuss the list of disclosures requirements further in the 
impact analysis section below. 


Annual burden estimates for these requirements are summarized in the table below: 








Table 2 — Annual Burden Estimates 
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' The number of entities required to generate a list of disclosures based on the number of 
estimated patient requests. Patient requests are based the total number of annual treatment 
admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). 
The estimated patient requests equal the average of the total number of requests for a 0.1 percent 
request rate and a 2 percent request rate. SAMHSA notes that this estimate reflects the number of 
patient requests rather than the number of impacted entities as some entities may receive more 
than one request. 








* The estimated time for developing a list of disclosures is 4 hours for entities collecting the 
information electronically using an audit log and 3 hours for entities that produce such a list from 
paper records. Because 90 percent of entities are estimated to collect the information 
electronically using an audit log and 10 percent are estimated to use paper records, the average 
weighted time to develop a list of disclosures is 3.9 hours [(0.9 x 4 hours) + (0.1 x 3 hours)]. 
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Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, 
the total estimated time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 
0.25 hours). 








* The weighted hourly rate for health information technicians, medical technicians and 
administrative staff who will be preparing the list of disclosures. The hourly rate is weighted to 
reflect the fact that health information and medical technicians, who will be generating the list of 
disclosures, have a higher wage rate than administrative staff and will contribute more hours to 
generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations 
Classification codes (29-2071, 31-9092) [www.bls.gov/oes/|. The hourly wage rate was 
multiplied by 2 to account for benefits and overhead costs. 








“The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National 
Survey of Substance Abuse Treatment Services (N-SSATS). The estimated annual number of 
respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. 
However, under N-SSATS an organization may complete survey responses for multiple 
facilities. 








> The average number of annual treatment admissions from SAMHSA's 2010-2012 TEDS. 








° Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics 
[accessed July 16, 2015], Standard Occupations Classification code (21-1011) 
[www.bls.gov/oes/|. The hourly wage rate was multiplied by 2 to account for benefits and 
overhead costs. 








’ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics 
[accessed July 16, 2015], Standard Occupations Classification code (43-0000) 
[www.bls.gov/oes/|. The hourly wage rate was multiplied by 2 to account for benefits and 
overhead costs. 

















* The combined total of the number of publicly funded alcohol and drug facilities and the number 
of entities required to generate a list of disclosures. 








As described in greater detail in Section VIB, Regulatory Impact Analysis, the 
respondents for the collection of information under § 2.22 and 2.51 are publicly (federal, state, or 
local) funded, assisted, or regulated substance use disorder treatment programs. The estimate of 
the number of such programs (respondents) is based on the results of the 2013 N-SSATS, and the 
average number of annual total responses is based on 2010-2012 information on patient 
admissions reported to the Treatment Episode Data Set (TEDS), approved under OMB Control 
No. 0930-0106 and OMB Control No. 0930-0335. 

The respondents for the collection of information under § 2.13(d) are entities named on 


the consent form that disclose information to their participants pursuant to the general 
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designation. These entities primarily would be organizations that facilitate the exchange of health 
information (e.g., HIEs) or coordinate care (e.g., ACOs, CCOs, and CPCMHs), but other 
organizations, such as research institutions, also may disclose patient identifying information to 
their participants (e.g., clinical researchers) pursuant to the general designation on the consent 
form. Because there are no definitive data sources for this potential range of organizations, we 
are not associating requests for a list of disclosures with any particular type of organization. 
Consequently, the number of organizations that must respond to list of disclosures requests is 
based on the total number of requests each year. 

B. Regulatory Impact Analysis 


1. Public Comments on Notice of Proposed Rulemaking Regulatory Impact 





Analysis 


a. Support for Cost Estimates 





Public Comments: 





SAMHSA received roughly 376 comments on the proposed rule. However, relatively 
few comments focused on the Regulatory Impact Analysis. We respond to these comments 
below and have made changes in our analysis, when appropriate, to reflect these comments. 

A few commenters suggested that the estimated costs outlined by SAMHSA in the 
proposed rule are in line with actual costs. For instance, one commenter suggested that the 
estimated total cost of $239 million over 10 years would not be unduly burdensome and would 
improve patient care and safety. A commenter stated that costs would be minimal for integrating 
the requirement properly to sanitize and dispose of records into training and instruction. Another 
commenter stated that the costs related to modifying release forms and training staff would be 


absorbed by organizations and would not impact business processes. Explaining that in order to 
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reflect the revision in title of 42 CFR part 2, a modification of the printed and on-line versions of 
applicable CFR Titles would be necessary, a commenter concluded that because of regular 
updates to CFRs, the incorporation of amendments made as part of this rule should not result in a 
significant economic impact. 


SAMHSA Response: 





SAMHSA acknowledges and appreciates the comments received that expressed support 
for the cost estimates in the NPRM. Though SAMSHA does not attempt in this rule to quantify 
benefits, it is important to note that updates to 42 CFR part 2 may result in long-term cost 
savings as well due to improved care coordination and integration and more efficient use of data 
for research and performance improvement purposes. 


b. Assertions that SAMHSA Underestimated Costs 





Public Comments: 





Some commenters generally asserted that the compliance and implementation costs were 
underestimated. One commenter suggested that cost effectiveness of complying with the 
proposed regulation will impact members and patients because of the additional costs associated 
with implementation (e.g., outreach and education, changes to consent forms), which undermines 
care coordination and effective delivery of services. Another commenter suggested that the 
projected costs of complying with part 2 should include costs for other institutions that are 
affected with re-disclosure of the provision; costs to individual practitioners or health 
organizations with few clinicians that fall under part 2; vendor-related costs; costs for software 
development and upgrades should be added to the costs of electronic record purchase and 


maintenance; cost to HIE; and costs to hire administrative staff. 
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A few commenters suggested that the estimated $8,000 cost per facility to implement 
consent management was too low, failing to reflect fully development, testing and process costs. 
One commenter suggested that the estimated $8,000 cost per facility to implement consent 
management likely does not consider vendor-related costs such as development, testing, training, 
adoption and process modifications that may need to occur, only the cost of the infrastructure 
investment. Commenters urged SAMHSA and federal partners to consider funding HIT 
adoption by behavioral health providers. Another commenter stated that the proposed rule 
underestimated the cost of scaling efforts to integrate DS4P and Consent2Share, including 
upgrades and iterations across EHR products. Commenters also suggested SAMHSA modify its 
DS4P efforts to reflect updated 42 CFR part 2 requirements. Lastly, a commenter suggested that 
the estimate of $8,000 to comply with the proposal underestimates the costs for existing 
pharmacy management systems to add new functionality and applications and does not include 
other software or security requirements, training, or other implementation costs associated with 
the proposed rule. Another commenter generally suggested that the estimated cost burden of 
transitioning to a new consent form will be greater than proposed in the proposed rule. 

Several commenters mentioned other specific areas in which SAMHSA underestimated 
costs. One commenter suggested that the costs estimated related to EHR customizations are 
underestimated because there is no current standard interoperability within EHRs that address 
part 2 information. Another commenter also shared their own experience in which they estimated 
a cost of $30,000 to comply with 42 CFR part 2 when including 2 substance use specialists as 
part of an integrated treatment model using an electronic health record. This commenter asserted 
based on their own experience that if small entities attempt to develop integrated substance use 


disorder treatment programs they may face similar costs, including information technology time 
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and efforts to modify EHRs to include restrictions on sharing of 42 CFR part 2 information in an 
integrated setting prohibitive. Another commenter stated that time, resources and training would 
be required to implement proposed changes to §§ 2.12, 2.31, and 2.32, and that personnel and 
financial constraints are common within the health care industry. The commenter estimated that 
the ability to adapt currently used electronic health records to segregate certain patient 
information will also take considerable effort and time. A commenter stated that the proposed 
cost analysis associated with staff training is inaccurate because it assumes that only substance 
use disorder counselors would need training when, in actuality, other fields would also need to 
be trained because they could potentially become lawful holders of the patient information (e.g., 
social work, psychology, medicine, managed care, HIE, research organizations). The commenter 
added that additional work will be needed to redact patient records to be in compliance with the 
data sharing elements related to information that could identify a patient as a substantive abuse 
disorder patient. A commenter stated that the cost to organizations to comply with the 


requirement for U.S. mail transmissions will be significant. 


SAMHSA Response: 

Though commenters suggested anecdotally that SAMHSA underestimated the burden of 
42 CFR part 2-compliance, SAMHSA notes the availability of data segmentation tools such as 
Consent2Share, an open source tool for consent management that is compliant with 42 CFR part 
2. As noted above (in Section V.J.1.c), SAMHSA will be shortly releasing an updated version 
of Consent2Share with improved functionality and ability to meet the list of disclosures 
requirements. Provided that a facility already is using electronic health records and can partner 
with a health information exchange using Consent2Share or similar software, SAMHSA 


believes based on current efforts to pilot an updated version of Consent2Share that a cost of 
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between $6,000 and $10,000 is reasonable. At the individual clinic level, initial set-up, training 
and testing are expected to constitute the main expenses. D4SP, Consent2Share, and similar 
tools make it feasible for entities to comply with updated 42 CFR part 2 requirements at 
reasonable cost. 

While we acknowledge comments that entities other than those directly subject to this 
rule may be impacted by its provisions, including vendors of EHR products, such impacts are 
outside the scope of the regulation. We do not mandate vendors to perform additional activities. 
Nonetheless, SAMHSA will monitor such impacts and, to the extent feasible, work with 
stakeholders and federal partners to develop fact sheets and other materials to assist in outreach 
to patients and others about changes made in this rule. Likewise, while SAMHSA is unable to 
directly fund updates to EHRs, SAMHSA continues to work closely with ONC and others to 
ensure inclusion of behavioral health providers in ongoing information technology programs 
(See http://www.samhsa.gov/health-information-technology/samhsas-efforts; 
https://www.healthit.gov/policy-researchers-implementers/behavioral-health). 

We acknowledge that the cost of updating consent forms may be greater than we had proposed 
and have made changes to our cost estimates in this final rule to reflect the need to update forms 
to meet new requirements. We note that most of these costs may only need to be incurred once 
and in the past some organizations have made sample template forms and materials available 
(See e.g., http://lac.org/resources/substance-use-resources/confidentiality-resources/sample- 
forms-confidentiality/). SAMHSA may, at a future time, develop sample templates and forms to 
ease compliance costs. 


c. Other Comments on Costs 





Public Comments: 
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Some commenters said existing functionalities within EHR systems and consent 
management tools do not easily separate or redact substance use disorder information from 
general medical information when such systems are shared across an integrated health system. 
Similarly, commenters expressed concern that the proposed rule could have the opposite effect of 
its intended purpose by causing HIEs to exclude part 2 information from information exchanges 
entirely since most HIEs and EHRs today do not support data segmentation. Asserting that the 
proposed part 2 changes would require HIEs to create an architecture for data management that 
provides for the segmentation of substance use disorder and general behavioral health data from 
physical health care data, including a way to have consent operate differently in each of the 
environments, one commenter asserted that this is a costly challenging administrative burden that 
does nothing to promote the sharing of information between all necessary providers for the 
integration of coordination of care. 

A commenter suggested that the financial burden of the proposed rule would vary 
depending on the size or complexity of the covered entity. 

Another commenter asserted that the rule should not be adopted because it would result 
in increased health care costs. The commenter stated that SAMHSA is not able to estimate 
additional costs that are likely to occur when adding sensitive substantive abuse disorder 
treatment information of patients to electronic health information systems without patient 
consent (e.g., additional security, costs related to breaches, class action lawsuits for breached 
information, and loss of business due to breaches). The commenter concluded that, because these 
costs do not provide additional substance use disorder or health care services, and instead 
remove dollars from health care services, the proposed rule is in conflict with SAMHSA’s 


proposed goal of reducing unnecessary health care costs. 
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SAMHSA Response: 





SAMHSA agrees that costs may vary based on an institution’s size, complexity and 
patient population served. However, we anticipate that over time compliance costs will drop 
significantly as institutions implement initial compliance efforts. SAMHSA notes that EHRs 
already are widely used in many health care settings with no evidence of class action lawsuits, 
loss of business or other speculative impacts (see e.g., 
http://dashboard.healthit.gov/quickstats/quickstats.php). Though SAMHSA is concerned about 
health care costs, the use of EHRs is likely both to improve care and reduce costs over time. 
Changes made in this rule will help to support EHR adoption and integration of care. Though in 
general EHR adoption among behavioral health providers lags behind that of other health care 
providers, forthcoming N-SSATS data reflect that more than 25 percent of surveyed substance 
use disorder treatment facilities used EHRs only and more than half use EHRs and paper-based 
records. Such growing adoption by substance use disorder treatment facilities reflects that EHR 
use 1s consistent with good quality of care and 42 CFR part 2 compliance. 


2. Statement of Need 





This final rule reflects changes in the health care system and behavioral health, such as 
the increasing use of electronic health records and drive toward greater integration of physical 
and behavioral health care. Despite efforts to enhance integration and coordination of care, 
however, it remains important to ensure persons seeking treatment for substance use disorders 
can remain confident as to the safeguarding of their medical information. This rule updates 42 


CFR part 2 to balance these important needs. 





3. Overall Impact 
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SAMHSA examined the impacts of this final rule as required by Executive Order 12866 
on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving 
Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), Section 1102(b) of the Social Security Act, section 202 of 
the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 
13132 on Federalism (August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)). 
Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available 
regulatory alternatives and, if regulation is necessary, to select regulatory approaches that 
maximize net benefits (including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Section 3(f) of Executive Order 12866 defines a 
“significant regulatory action” as an action that is likely to result in a rule: (1) Having an annual 
effect on the economy of $100 million or more in any one year, or adversely and materially 
affecting a sector of the economy, productivity, competition, jobs, the environment, public health 
or safety, or state, local or tribal governments or communities (also referred to as “economically 
significant’’); (2) creating a serious inconsistency or otherwise interfering with an action taken or 
planned by another agency; (3) materially altering the budgetary impacts of entitlement grants, 
user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raising novel 
legal or policy issues arising out of legal mandates, the President's priorities, or the principles set 
forth in the Executive Order. 

A regulatory impact analysis must be prepared for major rules with economically 
significant effects ($100 million or more in any one year). This rule does not reach the economic 
threshold and thus is not considered to be an economically significant rule. However, because 


this rule raises novel policy issues arising out of legal mandates, the rule is considered “a 
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significant regulatory action,” this regulatory impact analysis has been prepared, and the rule has 
been reviewed by OMB. 

When estimating the total costs associated with changes to the 42 CFR part 2 regulations, 
we assumed five sets of costs: updates to health IT systems costs, costs for staff training and 
updates to training curriculum, costs to update patient consent forms, costs associated with 
providing patients a list of entities to which their information has been disclosed pursuant to a 
general designation on the consent form (i.e., the List of Disclosures requirement), and 
implementation costs associated with the List of Disclosures requirements. We assumed that 
costs associated with modifications to existing health IT systems, staff training costs associated 
with updating staff training materials, and costs to update consent forms would be one-time costs 
the first year the final rule is in effect and would not carry forward into future years. Staff 
training costs other than those associated with updating training materials were assumed to be 
ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in 
effect. The List of Disclosures costs were assumed to be ongoing annual costs to entities named 
on a consent form that disclose patient identifying information to their participants under the 
general designation. In the NPRM, SAMHSA proposed to require non-treating providers to 
implement the List of Disclosures requirement at any time, but they cannot use the general 
designation without being able to provide a List of Disclosures. Therefore, we assumed that 
starting in year | ten percent of entities would decide to implement each year, resulting in 100 
percent of entities implementing by year 10. We note that it is possible that some entities will 
never implement this requirement and choose to forego use of the general designation. 

We estimated, therefore, that in the first year that the final rule is in effect, the total costs 


associated with updates to 42 CFR part 2 will be about $70, 691,000. In year two, we estimate 
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that costs will be roughly $17,680,000 and increase annually as a larger share of entities 


implement List of Disclosures requirements and respond to disclosure requests. Over the 10-year 


period of 2016-2025, the total undiscounted cost of the part 2 changes will be about $241 million 


in 2016 dollars. When future costs are discounted at 3 percent or 7 percent per year, the total 


costs become approximately $217, 586,000 or $193,098,000, respectively. These costs are 


presented in the tables below. 








Table 3 — Total Cost of 42 CFR part 2 Revisions (Note: Numbers may not add due to rounding). 


Note that all costs presented in this analysis are rounded to avoid communicating inaccurate 


levels of precision. 





































































































Staff training || Consent form List of 
Health IT costs|| Total costs 
Year costs updates Disclosures 
[2016 dollars] 

(A) (B) (C) (D) (E) 
2016 $15,521,000 $2,104,000 $4,930,000 || $48,136,000 || $70,691,000 
2017 $12,438,000 0 $5,242,000 0 $17,680,000 
2018 $12,438,000 0 $5,554,000 0 $17,992,000 
2019 $12,438,000 0 $5,866,000 0 $18,304,000 
2020 $12,438,000 0 $6,178,000 0 $18,616,000 
2021 $12,438,000 0 $6,490,000 0 $18,928,000 
2022 $12,438,000 0 $6,802,000 0 $19,240,000 
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2023 $12,438,000 0 $7,114,000 0 $19,552,000 
2024 $12,438,000 0 $7,426,000 0 $19,864,000 
2025 $12,438,000 0 $7,738,000 0 $20,176,000 
Total 
$241,040,000 
$127,463,000 $2,104,000 $63,338,000 || $48,136,000 






































Table 4 — Total Cost of 42 CFR part 2 Revisions—Annual Discounting (Note: Numbers 


may not add due to rounding.) 





































































































Total with 3% annual Total with 7% annual 

Year Total costs 

discounting discounting 

[2016 dollars] 
(E) (F) (G) 

2016 $70,691,000 $70,691,000 $70,691,000 
2017 $17,680,000 $17,165,000 $16,523,000 
2018 $17,992,000 $16,959,000 $15,715,000 
2019 $18,304,000 $16,751,000 $14,941,000 
2020 $18,616,000 $16,540,000 $14,202,000 
2021 $18,928,000 $16,327,000 $13,495,000 
2022 $19,240,000 $16,113,000 $12,820,000 
2023 $19,552,000 $15,897,000 $12,176,000 
2024 $19,864,000 $15,681,000 $11,561,000 
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2025 $20,176,000 $15,463,000 $10,974,200 








Total $241,040,000 $217,586,000 $193,098,000 











Annualized $25,507,717.01 $27,492,811.02 



































Note: Numbers may not add due to rounding. 


The costs associated with the proposed revisions stem from staff training and updates to 
training curriculum, updates to patient consent forms, compliance with the List of Disclosures 
requirement (including implementation costs), and updates to health IT infrastructure for 
information exchange. Based on data from the 2013 N-SSATS, we estimated that 12,034 
hospitals, outpatient treatment centers, and residential treatment facilities are covered by part 2. 
N-SSATS is an annual survey of U.S. substance use disorder treatment facilities. Data is 
collected on facility location, characteristics, and service utilization. Not all treatment providers 
included in N-SSATs are believed to be under the jurisdiction of the part 2 regulations. The 
12,034 number is a subset of the 14,148 substance use disorder treatment facilities that 
responded to the 2013 N-SSATS, and includes all federally operated facilities, facilities that 
reported receiving public funding other than Medicare and Medicaid, facilities that reported 
accepting Medicare, Medicaid, TRICARE, and/or Access to Recovery (ATR) voucher payments, 
or were SAMHSA-certified Opioid Treatment Programs. If a facility did not have at least one of 
these conditions, it was interpreted not to have received any federal funding and, therefore, not 
included in the estimate. The estimated annual number of respondents, 12,034, is based on N- 


SSATS data and reflects facilities receiving federal funding. However, under N-SSATS an 
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organization may complete survey responses for multiple facilities it oversees. Thus, an 
organization with three facilities may complete three separate surveys. 

If an independently practicing clinician does not meet the requirements of paragraph (1) 
of the definition of Program they may be subject to 42 CFR part 2 if they constitute an identified 
unit within a general medical facility which holds itself out as providing, and provides, substance 
use disorder diagnosis, treatment, or referral for treatment or if their primary function in the 
facility or practice is the provision of such services and they are identified as providing such 
services. Due to data limitations, it was not possible to estimate the costs for independently 
practicing providers covered by part 2 that did not participate in the 2013 N-SSATS. For 
example, data from American Board of Addiction Medicine (ABAM) provides the number of 
physicians since 2000 who have active ABAM certification. However, there is no source for the 
number of physicians who have not participated in the ABAM certification process. In addition, 
it is not possible to determine which ABAM-certified physicians practice in a general medical 
setting rather than in a specialty treatment facility that was already counted in the N-SSATS data. 

Several provisions in the NPRM referenced “other lawful holders of patient identifying 
information” in combination with part 2 programs. These other lawful holders must comply with 
part 2 requirements with respect to information they maintain that is covered by part 2 
regulations. However, because this group could encompass a wide range of organizations, 
depending on whether they received part 2 data via patient consent or as a result of one of the 
limited exceptions to the consent requirement specified in the regulations, we are unable to 
include estimates regarding the number and type of these organizations and only included part 2 


programs in this analysis. 
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In addition to the part 2 programs described above, SAMHSA proposed that entities 
named on a consent form that disclose patient identifying information to their participants under 
the general designation must provide patients, upon request, a list of entities to which their 
information has been disclosed pursuant to a general designation (1.e., list of disclosures). These 
entities primarily would include organizations that facilitate the exchange of health information 
(e.g., HIEs), and may also include organizations responsible for care coordination (e.g., ACOs, 
CCOs, and CPCMHs). The most recent estimates of these types of entities are 67 functional, 
publicly funded HIEs and 161 functional, privately funded HIEs in 2013.’ As of January 2015, 
there were an estimated 744 ACOs covering approximately 23.5 million individuals.” Finally, the 
National Committee for Quality Assurance (NCQA) recently noted that there are now more than 
10,000 NCQA-recognized CPCMHs.’ While these types of organizations were the primary focus 
of this provision on the consent form, other types of entities, such as research institutions, may 
also disclose patient identifying information to their participants (e.g., clinical researchers) 
pursuant to the general designation on the consent form. Because there are no definitive data 
sources for this potential range of organizations, we are not associating requests for lists of 
disclosures with any particular type of organization. We, instead, estimate the number of 
organizations that must respond to list of disclosures requests based on the total number of 
requests each year. 


a. Direct Costs of Implementing the Proposed Regulations 





There is no known baseline estimate of the current costs associated with 42 CFR part 2- 
compliance. However, as reflected by commenters who requested alignment between HIPAA 
and 42 CFR part 2, HIPAA authorization and notification requirements have similarities to 


requirements of 42 CFR part 2 (see http://www.hhs.gov/hipaa/for- 
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professionals/privacy/index.html). Instead, therefore, in the absence of data and studies 
specifically focused on compliance with 42 CFR part 2, SAMHSA has estimated these costs 
based on a range of published costs associated with HIPAA implementation and compliance.*° 
i. Staff Training 

Because SAMHSA lacks specific data regarding the cost of staff training to comply 
with 42 CFR part 2, SAMHSA has examined analogous HIPAA implementation costs. A 
Standard HIPAA training that meets or exceeds the federal training requirements is, on average, 
one hour long.® Therefore, we also estimated one hour of training per staff to achieve proficiency 
in the 42 CFR part 2 regulations. To estimate the labor costs associated with staff training, we 
averaged the average hourly costs for counseling staff in specialty treatment centers ($20.33 ’), 
hospital treatment centers ($21.80 °), and solo practice offices ($24.67 7). The resulting average 
wage rate was $22.27 per hour. In order to account for benefits and overhead costs associated 
with staff time, we multiplied the average hourly wage rate by two. These estimates were only 
for training costs associated with counseling staff, who we assume will have primary 
responsibility for executing the functions associated with the part 2 revisions. 

It is important as well to note that many current staff already have familiarity with current 
(1987) 42 CER part 2 requirements. With regard to training materials, most part 2 programs are 
assumed to already have training curricula in place that covers current (1987) 42 CFR part 2 
regulations, and, therefore, these facilities would only need to update existing training materials 
rather than develop new materials. Part 2 entities may determine the content of this training. The 
American Hospital Association estimated that the costs for the development of Privacy and 
Confidentiality training, which would include the development of training materials and 


10 


instructor labor costs, was $16 per employee training hour in 2000. Because we assumed that 


part 2 programs would be updating existing rather than developing entirely new training 
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materials, we estimated the cost of training development to be one-half of the cost of developing 
new materials, or $8 per employee. Adjusted for inflation, !'"training development costs in 2016 
would be $11.04 per employee. 

Using SAMHSA's 2010-2012 TEDS average annual number of treatment admissions 
(n=1,861,693) as an estimate of the annual number of patients at part 2 programs and calculated 
staffing numbers based on a range of counseling staff-to-client ratios (i.e., 1 to 10 17/and 1 to 5 
'3L) Based on these assumptions, staff training costs associated with part 2 patient consent 
procedures were projected to range from $10.3 million to $20.7 million in 2016. We averaged 
the two estimated costs for staff training to determine the final overall estimate of $15,521,000. 
We assumed the costs associated with updating training materials will be a one-time cost. 
Therefore, in subsequent years, we assumed the costs associated with staff training would be a 
function of the average hourly wage rate (multiplied by two to account for benefits and overhead 
costs) and the estimated number of staff (developed based on the same two staff-to-client ratios 
described above multiplied by estimated patient counts). Staff training costs associated with part 
2 revisions were projected to range from $8.3 million to $16.6 million after 2016. We averaged 


the two estimated costs for staff training to determine the final overall estimate of $12,438,000. 


il. Updates to Consent Forms 





Updates to the 42 CFR part 2 regulations will need to be reflected in patient consent 
forms. As there is no literature to date on costs to update forms for 42 CFR part 2, we examined 


results from a 2008 study from the Mayo Clinic Health Care Systems U4] 


that reported actuarial 
costs for HIPAA implementation activities. These costs were about $1 per patient visit. Adjusted 


for inflation, costs associated with updating the patient consent forms in 2016 would be $1.13 
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per patient visit. We used the average number of substance abuse treatment admissions from 
SAMHSA's 2010-2012 TEDS as our estimate of the number of clients treated on an annual basis 
by part 2 facilities. The total cost burden associated with updating the consent forms to reflect to 


the updated 42 CFR part 2 regulations would be approximately $2,104,000 (1,861,693 * $1.13). 


[14] 


iii. List of Disclosures Costs 





The proposed part 2 regulations allow patients who have consented to disclose their 
identifying information using a general designation to request a list of entities to which their 
information has been disclosed pursuant to the general designation. Under this final rule, entities 
named on a consent form that disclose patient identifying information to their participants under 
the general designation will be required to provide a list of disclosures after receiving a patient 
request. Under the List of Disclosures requirements, a patient could make a request, for example, 
to an organization that facilitates the exchange of health information (e.g., an HIE) or an 
organization responsible for coordinating care (e.g., an ACO) for a list of disclosures that would 
include the name of the entity to whom each disclosure was made, the date of the disclosure, and 
a brief description of the patient identifying information disclosed, and include this information 
for all entities to whom the patient identifying information has been disclosed pursuant to the 
general designation in the past two years. 

For purposes of the analysis, we assumed that entities disclosing patient identifying 
information to their participants pursuant to a patient's general designation on a consent form are 
already collecting the information necessary to comply with the List of Disclosures requirement, 


in some form, either electronically or using paper records. We also assumed that these entities 
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could comply with the List of Disclosures requirement by either collecting this information 
electronically by using audit logs to obtain the required information or by keeping a paper 
record. However, to address possible concerns about technical feasibility and other 
implementation issues, SAMHSA finalizes its proposal that the List of Disclosures requirement 
may be implemented at any time, but non-treating providers cannot use the general designation 
without being able to provide a List of Disclosures to allow entities collecting this information 
time to review their operations and business processes and to decide whether technological 
solutions are needed to enable them to more efficiently comply with the requirement. 

In order to make preliminary estimates of the implementation costs, we first estimated the 
number of potentially impacted entities based on the anticipated number of patient requests for a 
disclosure report in a calendar year. We used the average number of substance use disorder 
treatment admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as the number of 
patients treated annually by part 2 programs. We then used the average of a 0.1 and 2 percent 
patient request rate as our estimate of the number of impacted entities (n = 19,548). 

From there, we assumed 10 percent of the impacted entities would use paper records to 
comply with the disclosure reporting requirements (n = 1,995) and would have minimal 
implementation costs. Among the remaining entities, many may be able to comply with the 
disclosure reporting requirements without developing or implementing new technologies. For 
entities that do choose to either update their existing capabilities or develop and implement new 
technologies to facilitate compliance, we assumed two sets of costs: (1) planning and policy 
development costs and (2) system update costs. SAMHSA notes that the Office of the National 
Coordinator for Health Information Technology and other organizations are encouraging 


adoption of electronic health records to allow providers to access patient records remotely, 
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improve communication with patients and other providers and reduce errors 
(https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs)). For 
these reasons, we believe that the trend toward adoption of electronic health records will 
continue. 

Absent any data on the number of facilities that would require new technology or the type 
of technology to be implemented, we assumed that twenty-five percent (n = 4,398) of the 
remaining entities would choose to upgrade their existing health IT systems. The actual system 
upgrade costs will vary considerably based on the type of upgrades that are required. Some 
entities may only require minor system updates to streamline the reporting requirements, while 
others may choose to implement an entirely new system. Given these data limitations, we 
assumed an average, per-entity cost, of $2,500 for planning development costs and an average, 
per-entity cost, of $8,000 for system upgrades for a total cost of $10,500. We assume that ten 
percent of entities will implement each year, resulting in 100 percent of the 4,398 entities having 
implemented the system planning and upgrades by year 10. The implementation costs for List of 
Disclosures reporting compliance in year 1, and each year thereafter, are estimated to be 
approximately $4,618,000 ([4,398*0.10] * [8,000+2,500]). We acknowledge that without better 
data on the number of facilities that may require new technology and the number of facilities that 
would use the general designation and therefore be required to comply with the list of disclosures 
requirement, this approach may overestimate or underestimate the costs. 

As entities begin to comply with the disclosure reporting requirements, we assumed that 
the majority of the costs associated with the List of Disclosures requirement would primarily 


come from staff time needed to prepare a list of disclosures upon a patient's request. We also 
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assumed that the information would need to be converted to a format that is accessible to 
patients. 

For those entities with a health IT system, we expected that disclosure information would 
be available in the system's audit log. We also assumed that, unless the audit log has some sort of 
electronic filtering system, it would contain information above and beyond the requirements for 
complying with a request for a list of disclosures. We had also assumed that the staff accessing 
and filtering an audit log to compile the information for lists of disclosures would be health 
information technicians. The average hourly rate for health information technicians is $19.44 an 


hour. tS4 


In order to account for benefits and overhead costs associated with staff time, we 
multiplied the hourly wage rate by two. Absent any existing information on the amount of time 
associated with producing a list of disclosures from an audit log, we assumed it would take a 
health information technician half a day (or 4 hours) on average, to produce the list from an audit 
log. 

For entities using paper records to track disclosures, we expected that a staff member 
would need to gather and aggregate the requested list of disclosures from paper records. We 
assumed medical record technicians would be the staff with the primary responsibility for 
compiling the information for a list of disclosures. The average hourly rate for medical record 


{6l1 order to account for benefits and overhead costs 


technicians is $19.44 an hour an hour. 
associated with staff time, we multiplied the hourly wage rate by two. Absent any existing 
information on the amount of time associated with producing a list of disclosures from paper 


records, we assumed it would take a medical record technician 3 hours, on average, to produce 


the list from paper records. "7! 
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The number of requests for a list of disclosures will determine the overall burden 
associated with the List of Disclosures reporting requirements. However, because this is a new 
requirement, there were no data on which to base an estimated number of requests per year. We 
expected that the rate of requests will be relatively low. We therefore calculated the total costs 
for two rates, 0.1 percent and 2 percent of patients per year. 

We used the average number of substance use disorder treatment admissions from 
SAMHSA's 2010-2012 TEDS as the number of patients treated annually by part 2 programs. 
Assuming that 10 percent of patients making requests (n = 186.17 to n = 3,723.39) would request 
a list of disclosures from entities that track disclosures through paper records and 90 percent of 
patients making requests (n = 1,675.52 to n = 33,510.47) would make such a request of entities 
that track disclosures through health IT audit logs, the estimated costs to develop lists of 
disclosures range from roughly $21,700 to $434,300 for entities using paper records, and 
$261,000 to $5,212,000 for entities using audit logs. (These ranges reflect the costs based on the 
two estimated patient rates of request referenced above (i.e., 0.1 percent and 2 percent of patients 
per year)). 

Once a list of disclosures has been produced, it can be returned to the patient either by 
email or mail. Since the method of sending the list of disclosures depends on patient preference, 
we assumed that 50 percent of the lists of disclosures would be sent by email and 50 percent by 
first-class mail. We assumed that mailing and supply costs related to list of disclosures 
notifications were $0.10 supply cost per notification and $0.49 postage cost per mailing. We also 
estimated that it would take an administrative staff member 15 minutes to prepare each list of 
disclosures for mailing and/or transmitting, and that staff preparing the letters earn $15.34 1®'per 


hour. In order to account for benefits and overhead costs associated with staff time, we 
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multiplied the hourly wage rate by two. The estimated costs for list of disclosures notifications 
range from approximately $7, 700 to $154,000 for notifications sent by first-class mail, and $7, 
140 to $143, 000 for notifications sent by email. 

To produce the final overall cost estimate, we took the average of the minimum and 
maximum estimated costs to develop lists of disclosures by entities collecting the information 
electronically by using an audit log, and the average of the minimum and maximum estimated 
costs to develop lists of disclosures by entities using paper records. We then added the averages 
together to produce our estimate of the total cost to entities to develop lists of disclosures. Next 
we took the average of the minimum and maximum estimated costs for list of disclosures 
notifications sent via email and the minimum and maximum estimated costs for such 
notifications sent via first-class mail. We then added these two averages together to produce our 
estimate of the total cost to entities for list of disclosures notifications. Finally, the development 
and notification costs for these lists of disclosures were added together for the final estimate of 
costs associated with complying with List of Disclosures reporting requirements. The total cost 
for List of Disclosures reporting compliance across all entities was roughly $3,120,000 in 2016 
dollars. Complying with List of Disclosures requirements is assumed to be an ongoing, annual 
activity for entities that have completed the system upgrade and comply with the disclosure 
requirements. Since we assume 10 percent of entities begin to comply with the requirements 
each year, year | reporting compliance costs is roughly $312,000 (3,120,000*0.10) and $624,000 
(3,120, 000*0.20) in year 2, and continues to increase each year until year 10 all entities are 


complying and have annual compliance costs of $3,120,000 














Table 5 — Total Estimated Disclosure Reporting Costs in 2018 (Note: Numbers may not add 


due to rounding) 
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Minimum estimated 


Maximum 


Average estimated cost 


























cost estimated cost 
Facilities with a Health IT 
$261,000 $5,212,000 $2,736,000 
System 
Facilities without a Health 
$21,700 $434,300 $228,000 
IT System 
Total Costs $2,964,000 
Average Number of 
19,548 


Facilities 


























Table 6 — Total Estimated Disclosure Notification Costs in 2018 (Note: Numbers may not 


add due to rounding) 








Minimum 


estimated cost 


Maximum 


estimated cost 


Average estimated cost 


























Email Notification $7,100 $143,000 $75,000 
First Class Mail Notification $7,700 $154,000 $81,000 
Total Costs $156,000 


























iv. IT Updates 


SAMHSA, in collaboration with ONC and federal and community stakeholders, has 


developed Consent2Share which is an open source tool for consent management and data 


segmentation that is designed to integrate with existing EHR and HIE systems. SAMHSA plans 
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to release shortly an updated version of Consent2Share with improved functionality and ability 
to meet list of disclosures requirements. 

The Consent2Share architecture has a front-end, patient facing system known as Patient 
Consent Management and a backend control system known as Access Control Services. 
Communications with EHR vendors indicated that the cost to facilities of purchasing and 
installing additional functionality to existing electronic medical records applications, such as 
Consent2Share, typically range from $2,500 to $5,000. Because the add-on systems for part 2 
programs may be more complex than standard patient monitoring systems, we estimated that the 
cost of adding the new functionality would be approximately $8,000 per facility. We also 
assumed that this would be a one-time expense, rather than a recurring cost, for each provider. 
SAMHSA acknowledges that there may be fluctuation in costs among affected entities from the 
average cost. However, though costs could possibly be higher for some entities, information 
shared by commenters was largely anecdotal and it is unclear how such data could be broadly 
extrapolated to a wide range of entities. 

Furthermore, national estimates indicated that no more than 50 percent of substance use 
disorder treatment facilities have an operational “computerized administrative information 
system.” 11 We, therefore, estimated that only half of the 12,034 part 2 programs (i.e., 6,017 
facilities) would have operational health IT systems that would require modifications to account 
for the changes to 42 CFR part 2. With 6,017 part 2 programs with operational information 
systems, we estimated that each facility would need to spend $8,000 to modify their health IT 
system, which would lead to a total burden for updating health IT systems of $48.1 million. 
Updating health IT systems would be a one-time cost, and maintenance costs should be part of 


general health IT maintenance costs in later years. The final rule does not require that part 2 
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programs adopt health IT systems so there are no health IT costs associated with substance use 
disorder treatment facilities that continue to use paper records. 

C. Regulatory Flexibility Act (RFA) 

The RFA requires agencies to analyze options for regulatory relief of small entities. For 
purposes of the RFA, small entities include small businesses, nonprofit organizations, and small 
governmental jurisdictions. Most hospitals and most other providers are small entities, either by 
nonprofit status or by having revenues of less than $7.5 million to $38.5 million in any one year. 
Individuals and states are not included in the definition of a small entity. We are not preparing an 
analysis for the RFA because we have determined, and the Secretary certifies, that this final rule 
will not have a significant economic impact on a substantial number of small entities. While the 
changes in the regulations will apply to all part 2 programs, the impact on these entities would be 
quite small. Specifically, as described in the Overall Impact section, the cost to part 2 programs 
associated with updates to 42 CFR part 2 in the first year that the final rule is in effect will be 
$76.1 million, a figure that due to a number of one-time updates, is the highest for any of the 10 
years estimated. The per-entity economic impact in the first year will be approximately $6,300 
($76,100,000 + 12,034), a figure that is unlikely to represent 3 percent of revenues for 5 percent 
of impacted small entities. Consequently, it has been determined that the final rule will not have 
a significant economic impact on small entities. 

In addition, Section 1102(b) of the Act requires us to prepare a regulatory impact analysis 
if arule may have a significant impact on the operations of a substantial number of small rural 
hospitals. This analysis must conform to the provisions of Section 603 of the RFA. For purposes 
of Section 1102(b) of the Act, we defined a small rural hospital as a hospital that is located 


outside of a Metropolitan Statistical Area for Medicare payment regulations and has fewer than 
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100 beds. We are not preparing an analysis for Section 1102(b) of the Act because we have 
determined, and the Secretary certifies, that this final rule will not have a significant impact on 
the operations of a substantial number of small rural hospitals. 

D. Unfunded Mandates Reform Act 

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies 
assess anticipated costs and benefits before issuing any rule whose mandates require spending in 
any one year of $100 million in 1995 dollars, updated annually for inflation. In 2016, that 
threshold is approximately $146 million. This rule will have no consequential effect on state, 
local, or tribal governments or on the private sector. 

E. Federalism (Executive Order 13132) 

Executive Order 13132 establishes certain requirements that an agency must meet when it 
promulgates a proposed rule (and subsequent final rule) that imposes substantial direct 
requirement costs on state and local governments, preempts state law, or otherwise has 
Federalism implications. Since this rule does not impose any costs on state or local governments, 
the requirements of Executive Order 13132 are not applicable. 

SAMHSA is modernizing 42 CFR part 2. With respect to our revisions to the part 2 
regulations, we do not believe that this final rule will have a significant impact as it gives more 
flexibility to individuals and entities covered by 42 CFR part 2 but also adds privacy protections 
within the consent requirements for the patient. We are revising the part 2 regulations in response 
to concerns that 42 CFR part 2 was outdated and burdensome. 

Executive Order 13132 on Federalism (August 4, 1999) establishes certain requirements 
that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that 


imposes substantial direct requirement costs on state and local governments, preempts state law, 
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or otherwise has Federalism implications. We have reviewed this final rule under the threshold 
criteria of Executive Order 13132, Federalism, and have determined that it will not have 
substantial direct effects on the rights, roles, and responsibilities of states, local or tribal 
governments. 
Conclusion 

SAMHSA is enacting changes to modernize 42 CFR part 2. With respect to our 
revisions to the regulations, we do not believe that this final rule will have a significant impact 
as it gives more flexibility to individuals and entities covered by 42 CFR part 2 but also 
increases privacy protections within the consent requirements and adds an additional 
confidentiality safeguard for patients. This final rule does not reach the threshold for requiring a 
regulatory impact analysis by Executive Orders 12866 and 13563 and thus is not considered an 
economically significant rule. This rule will not have a significant economic impact on a 
substantial number of small entities. This rule will not have a significant impact on the 
operations of a substantial number of small rural hospitals. Since this rule does not impose any 
costs on state or local governments, the requirements of Executive Order 13132 on federalism 
are not applicable. 
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List of Subjects in 42 CFR Part 2 
Alcohol abuse, Alcoholism, Drug abuse, Grant programs-health, Health records, Privacy, 


Reporting, and Recordkeeping requirements. 


For the reasons stated in the preamble of this final rule, SAMHSA revises 42 CFR part 2 
to read as follows: 


PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT 
RECORDS 


Subpart A—Introduction 


Sec. 

2.1 Statutory authority for confidentiality of substance use disorder patient records. 
2.2 Purpose and effect. 

25 Criminal penalty for violation. 

2.4 Reports of violations. 


Subpart B—General Provisions 


Sec. 

2.11 Definitions. 

2.12 Applicability. 

2.13. Confidentiality restrictions and safeguards. 

2.14 Minor patients. 

2.15 Incompetent and deceased patients. 

2.16 Security for records. 

2.17. Undercover agents and informants. 

2.18 Restrictions on the use of identification cards. 

2.19 Disposition of records by discontinued programs. 

2.20 Relationship to state laws. 

2.21 Relationship to federal statutes protecting research subjects against compulsory 
disclosure of their identity. 


243 


2.22 Notice to patients of federal confidentiality requirements. 
2.23 Patient access and restrictions on use. 


Subpart C—Disclosures with Patient Consent 


Sec. 

2.31 Consent requirements. 

2.32 Prohibition on re-disclosure. 

2.33 Disclosures permitted with written consent. 

2.34 Disclosures to prevent multiple enrollments. 

2.35. Disclosures to elements of the criminal justice system which have referred patients. 


Subpart D—Disclosures without Patient Consent 


Sec. 

2.51 Medical emergencies. 
2.52 Research. 

2.53 Audit and evaluation. 


Subpart E—Court Orders Authorizing Disclosure and Use 


Sec. 

2.61 Legal effect of order. 

2.62 Order not applicable to records disclosed without consent to researchers, auditors and 
evaluators. 

2.63 Confidential communications. 

2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes. 

2.65 Procedures and criteria for orders authorizing disclosure and use of records to criminally 
investigate or prosecute patients. 

2.66 Procedures and criteria for orders authorizing disclosure and use of records to investigate 
or prosecute a part 2 program or the person holding the records. 

2.67 Orders authorizing the use of undercover agents and informants to criminally investigate 
employees or agents of a part 2 program. 


Authority: 42 U.S.C. 290dd-2. 


Subpart A—Introduction 
§ 2.1 Statutory authority for confidentiality of substance use disorder patient records. 

Title 42, United States Code, Section 290dd-2(g) authorizes the Secretary to prescribe 
regulations. Such regulations may contain such definitions, and may provide for such safeguards 


and procedures, including procedures and criteria for the issuance and scope of orders, as in the 
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judgment of the Secretary are necessary or proper to effectuate the purposes of this statute, to 
prevent circumvention or evasion thereof, or to facilitate compliance therewith. 
§ 2.2 Purpose and effect. 

(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in this part impose 
restrictions upon the disclosure and use of substance use disorder patient records which are 
maintained in connection with the performance of any part 2 program. The regulations in this 
part include the following subparts: 

(1) Subpart B of this part: General Provisions, including definitions, applicability, and 
general restrictions; 

(2) Subpart C of this part: Disclosures with Patient Consent, including disclosures which 
require patient consent and the consent form requirements; 

(3) Subpart D of this part: Disclosures without Patient Consent, including disclosures 
which do not require patient consent or an authorizing court order; and 

(4) Subpart E of this part: Court Orders Authorizing Disclosure and Use, including 
disclosures and uses of patient records which may be made with an authorizing court order and 
the procedures and criteria for the entry and scope of those orders. 

(b) Effect. (1) The regulations in this part prohibit the disclosure and use of patient 
records unless certain circumstances exist. If any circumstance exists under which disclosure is 
permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel 
disclosure. Thus, the regulations do not require disclosure under any circumstances. 

(2) The regulations in this part are not intended to direct the manner in which substantive 
functions such as research, treatment, and evaluation are carried out. They are intended to ensure 


that a patient receiving treatment for a substance use disorder in a part 2 program is not made 


245 


more vulnerable by reason of the availability of their patient record than an individual with a 
substance use disorder who does not seek treatment. 

(3) Because there is a criminal penalty for violating the regulations, they are to be 
construed strictly in favor of the potential violator in the same manner as a criminal statute (see 


M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)). 





§ 2.3 Criminal penalty for violation. 


Under 42 U.S.C. 290dd-2(f), any person who violates any provision of this section or any 
regulation issued pursuant to this section shall be fined in accordance with Title 18 of the U.S. 
Code. 

§ 2.4 Reports of violations. 
(a) The report of any violation of the regulations in this part may be directed to the 

United States Attorney for the judicial district in which the violation occurs. 

(b) The report of any violation of the regulations in this part by an opioid treatment 
program may be directed to the United States Attorney for the judicial district in which the 
violation occurs as well as to the Substance Abuse and Mental Health Services Administration 


(SAMHSA) office responsible for opioid treatment program oversight. 


Subpart B—General Provisions 


§ 2.11 Definitions. 


For purposes of the regulations in this part: 
Central registry means an organization which obtains from two or more member 


programs patient identifying information about individuals applying for withdrawal management 
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or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in 
more than one treatment program. 

Diagnosis means any reference to an individual's substance use disorder or to a condition 
which is identified as having been caused by that substance use disorder which is made for the 
purpose of treatment or referral for treatment. 

Disclose means to communicate any information identifying a patient as being or having 
been diagnosed with a substance use disorder, having or having had a substance use disorder, or 
being or having been referred for treatment of a substance use disorder either directly, by 
reference to publicly available information, or through verification of such identification by 
another person. 


Federally assisted — see § 2.12(b). 





Informant means an individual: 

(1) Who is a patient or employee of a part 2 program or who becomes a patient or 
employee of a part 2 program at the request of a law enforcement agency or official; and 

(2) Who at the request of a law enforcement agency or official observes one or more 
patients or employees of the part 2 program for the purpose of reporting the information obtained 
to the law enforcement agency or official. 


Maintenance treatment means long-term pharmacotherapy for individuals with substance 





use disorders that reduces the pathological pursuit of reward and/or relief and supports remission 
of substance use disorder-related symptoms. 


Member program means a withdrawal management or maintenance treatment program 





which reports patient identifying information to a central registry and which is in the same state 
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as that central registry or is in a state that participates in data sharing with the central registry of 
the program in question. 

Minor, as used in the regulations in this part, means an individual who has not attained 
the age of majority specified in the applicable state law, or if no age of majority is specified in 
the applicable state law, the age of 18 years. 


Part 2 program means a federally assisted program (federally assisted as defined in 





§ 2.12(b) and program as defined in this section). See § 2.12(e)(1) for examples. 


Part 2 program director means: 





(1) In the case of a part 2 program that is an individual, that individual. 

(2) In the case of a part 2 program that is an entity, the individual designated as director 
or managing director, or individual otherwise vested with authority to act as chief executive 
officer of the part 2 program. 

Patient means any individual who has applied for or been given diagnosis, treatment, or 
referral for treatment for a substance use disorder at a part 2 program. Patient includes any 
individual who, after arrest on a criminal charge, is identified as an individual with a substance 
use disorder in order to determine that individual's eligibility to participate in a part 2 program. 
This definition includes both current and former patients. 


Patient identifying information means the name, address, social security number, 





fingerprints, photograph, or similar information by which the identity of a patient, as defined in 
this section, can be determined with reasonable accuracy either directly or by reference to other 
information. The term does not include a number assigned to a patient by a part 2 program, for 


internal use only by the part 2 program, if that number does not consist of or contain numbers 
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(such as a social security, or driver's license number) that could be used to identify a patient with 
reasonable accuracy from sources external to the part 2 program. 

Person means an individual, partnership, corporation, federal, state or local government 
agency, or any other legal entity, (also referred to as “individual or entity”). 

Program means: 

(1) An individual or entity (other than a general medical facility) who holds itself out as 
providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or 

(2) An identified unit within a general medical facility that holds itself out as providing, 
and provides, substance use disorder diagnosis, treatment, or referral for treatment; or 

(3) Medical personnel or other staff in a general medical facility whose primary function 
is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who 
are identified as such providers. 


Qualified service organization means an individual or entity who: 





(1) Provides services to a part 2 program, such as data processing, bill collecting, dosage 
preparation, laboratory analyses, or legal, accounting, population health management, medical 
staffing, or other professional services, or services to prevent or treat child abuse or neglect, 
including training on nutrition and child care and individual and group therapy, and 

(2) Has entered into a written agreement with a part 2 program under which that 
individual or entity: 

(i) Acknowledges that in receiving, storing, processing, or otherwise dealing with any 


patient records from the part 2 program, it is fully bound by the regulations in this part; and 
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(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient 
identifying information related to substance use disorder diagnosis, treatment, or referral for 
treatment except as permitted by the regulations in this part. 

Records means any information, whether recorded or not, created by, received, or 
acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for 
treatment information, billing information, emails, voice mails, and texts). For the purpose of the 
regulations in this part, records include both paper and electronic records. 


Substance use disorder means a cluster of cognitive, behavioral, and physiological 





symptoms indicating that the individual continues using the substance despite significant 
substance-related problems such as impaired control, social impairment, risky use, and 
pharmacological tolerance and withdrawal. For the purposes of the regulations in this part, this 
definition does not include tobacco or caffeine use. 


Third-party payer means an individual or entity who pays and/or agrees to pay for 





diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the 
patient or a member of the patient’s family or on the basis of the patient's eligibility for federal, 
state, or local governmental benefits. 


Treating provider relationship means that, regardless of whether there has been an actual 





in-person encounter: 
(1) A patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or 
treated, or agrees to accept consultation, for any condition by an individual or entity, and; 
(2) The individual or entity undertakes or agrees to undertake diagnosis, evaluation, 


and/or treatment of the patient, or consultation with the patient, for any condition. 
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Treatment means the care of a patient suffering from a substance use disorder, a 
condition which is identified as having been caused by the substance use disorder, or both, in 
order to reduce or eliminate the adverse effects upon the patient. 


Undercover agent means any federal, state, or local law enforcement agency or official 





who enrolls in or becomes an employee of a part 2 program for the purpose of investigating a 
suspected violation of law or who pursues that purpose after enrolling or becoming employed for 
other purposes. 


Withdrawal management means the use of pharmacotherapies to treat or attenuate the 





problematic signs and symptoms arising when heavy and/or prolonged substance use is reduced 


or discontinued. 


§ 2.12 Applicability. 


(a) General—(1) Restrictions on disclosure. The restrictions on disclosure in the 








regulations in this part apply to any information, whether or not recorded, which: 

(i) Would identify a patient as having or having had a substance use disorder either 
directly, by reference to publicly available information, or through verification of such 
identification by another person; and 

(ii) Is drug abuse information obtained by a federally assisted drug abuse program after 
March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted 
alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent 
date, is maintained by a part 2 program after that date as part of an ongoing treatment episode 
which extends past that date; for the purpose of treating a substance use disorder, making a 


diagnosis for that treatment, or making a referral for that treatment. 
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(2) Restriction on use. The restriction on use of information to initiate or substantiate any 





criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 
290dd-2(c)) applies to any information, whether or not recorded, which is drug abuse 
information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 
program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program 
after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a 
part 2 program after that date as part of an ongoing treatment episode which extends past that 
date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, 
or making a referral for the treatment. 


(b) Federal assistance. A program is considered to be federally assisted if: 





(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any 
department or agency of the United States (but see paragraphs (c)(1) and (2) of this section 
relating to the Department of Veterans Affairs and the Armed Forces); 

(2) It is being carried out under a license, certification, registration, or other authorization 
granted by any department or agency of the United States including but not limited to: 

(i) Participating provider in the Medicare program; 

(ii) Authorization to conduct maintenance treatment or withdrawal management; or 

(ii1) Registration to dispense a substance under the Controlled Substances Act to the 
extent the controlled substance is used in the treatment of substance use disorders; 

(3) It is supported by funds provided by any department or agency of the United States by 


being: 
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(i) A recipient of federal financial assistance in any form, including financial assistance 
which does not directly pay for the substance use disorder diagnosis, treatment, or referral for 
treatment; or 

(ii) Conducted by a state or local government unit which, through general or special 
revenue sharing or other forms of assistance, receives federal funds which could be (but are not 
necessarily) spent for the substance use disorder program; or 

(4) It is assisted by the Internal Revenue Service of the Department of the Treasury 
through the allowance of income tax deductions for contributions to the program or through the 
granting of tax exempt status to the program. 


(c) Exceptions— (1) Department of Veterans Affairs. These regulations do not apply to 








information on substance use disorder patients maintained in connection with the Department of 
Veterans Affairs’ provision of hospital care, nursing home care, domiciliary care, and medical 
services under Title 38, U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations 
issued under that authority by the Secretary of Veterans Affairs. 

(2) Armed Forces. The regulations in this part apply to any information described in 
paragraph (a) of this section which was obtained by any component of the Armed Forces during 
a period when the patient was subject to the Uniform Code of Military Justice except: 

(i) Any interchange of that information within the Armed Forces; and 

(ii) Any interchange of that information between the Armed Forces and those 
components of the Department of Veterans Affairs furnishing health care to veterans. 


(3) Communication within a part 2 program or between a part 2 program and an entity 





having direct administrative control over that part 2 program. The restrictions on disclosure in 





the regulations in this part do not apply to communications of information between or among 
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personnel having a need for the information in connection with their duties that arise out of the 
provision of diagnosis, treatment, or referral for treatment of patients with substance use 
disorders if the communications are: 

(i) Within a part 2 program; or 

(ii) Between a part 2 program and an entity that has direct administrative control over the 


program. 





(4) Qualified service organizations. The restrictions on disclosure in the regulations in 
this part do not apply to communications between a part 2 program and a qualified service 
organization of information needed by the qualified service organization to provide services to 
the program. 


(5) Crimes on part 2 program premises or against part 2 program personnel. The 





restrictions on disclosure and use in the regulations in this part do not apply to communications 
from part 2 program personnel to law enforcement agencies or officials which: 

(i) Are directly related to a patient's commission of a crime on the premises of the part 2 
program or against part 2 program personnel or to a threat to commit such a crime; and 

(ii) Are limited to the circumstances of the incident, including the patient status of the 
individual committing or threatening to commit the crime, that individual's name and address, 
and that individual's last known whereabouts. 


(6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in 





the regulations in this part do not apply to the reporting under state law of incidents of suspected 
child abuse and neglect to the appropriate state or local authorities. However, the restrictions 


continue to apply to the original substance use disorder patient records maintained by the part 2 


254 


program including their disclosure and use for civil or criminal proceedings which may arise out 
of the report of suspected child abuse and neglect. 


(d) Applicability to recipients of information— (1) Restriction on use of information. The 








restriction on the use of any information subject to the regulations in this part to initiate or 
substantiate any criminal charges against a patient or to conduct any criminal investigation of a 
patient applies to any person who obtains that information from a part 2 program, regardless of 
the status of the person obtaining the information or whether the information was obtained in 
accordance with the regulations in this part. This restriction on use bars, among other things, the 
introduction of that information as evidence in a criminal proceeding and any other use of the 
information to investigate or prosecute a patient with respect to a suspected crime. Information 
obtained by undercover agents or informants (see § 2.17) or through patient access (see § 2.23) is 
subject to the restriction on use. 


(2) Restrictions on disclosures—(i) Third-party payers, administrative entities, and 





others. The restrictions on disclosure in the regulations in this part apply to: 

(A) Third-party payers with regard to records disclosed to them by part 2 programs or 
under §2.31(a)(4)(ii1)(A); 

(B) Entities having direct administrative control over part 2 programs with regard to 
information that is subject to the regulations in this part communicated to them by the part 2 
program under paragraph (c)(3) of this section; and 

(C) Individuals or entities who receive patient records directly from a part 2 program or 
other lawful holder of patient identifying information and who are notified of the prohibition on 
re-disclosure in accordance with § 2.32. 


(ii) [Reserved] 
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(e) Explanation of applicability— (1) Coverage. These regulations cover any information 





(including information on referral and intake) about patients receiving diagnosis, treatment, or 
referral for treatment for a substance use disorder created by a part 2 program. Coverage 
includes, but is not limited to, those treatment or rehabilitation programs, employee assistance 
programs, programs within general hospitals, school-based programs, and private practitioners 
who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, 
or referral for treatment. However, the regulations in this part would not apply, for example, to 
emergency room personnel who refer a patient to the intensive care unit for an apparent 
overdose, unless the primary function of such personnel is the provision of substance use 
disorder diagnosis, treatment, or referral for treatment and they are identified as providing such 
services or the emergency room has promoted itself to the community as a provider of such 
services. 


(2) Federal assistance to program required. If a patient's substance use disorder diagnosis, 





treatment, or referral for treatment is not provided by a part 2 program, that patient's record is not 
covered by the regulations in this part. Thus, it is possible for an individual patient to benefit 
from federal support and not be covered by the confidentiality regulations because the program 
in which the patient is enrolled is not federally assisted as defined in paragraph (b) of this 
section. For example, if a federal court placed an individual in a private for-profit program and 
made a payment to the program on behalf of that individual, that patient's record would not be 
covered by the regulations in this part unless the program itself received federal assistance as 
defined by paragraph (b) of this section. 


(3) Information to which restrictions are applicable. Whether a restriction applies to use 





or disclosure affects the type of information which may be disclosed. The restrictions on 
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disclosure apply to any information which would identify a patient as having or having had a 
substance use disorder. The restriction on use of information to bring criminal charges against a 
patient for a crime applies to any information obtained by the part 2 program for the purpose of 
diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Note that 
restrictions on use and disclosure apply to recipients of information under paragraph (d) of this 


section.) 





(4) How type of diagnosis affects coverage. These regulations cover any record of a 
diagnosis identifying a patient as having or having had a substance use disorder which is initially 
prepared by a part 2 provider in connection with the treatment or referral for treatment of a 
patient with a substance use disorder. A diagnosis prepared for the purpose of treatment or 
referral for treatment but which is not so used is covered by the regulations in this part. The 
following are not covered by the regulations in this part: 

(i) Diagnosis which is made solely for the purpose of providing evidence for use by law 
enforcement agencies or officials; or 

(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the 
individual involved does not have a substance use disorder (e.g., involuntary ingestion of alcohol 
or drugs or reaction to a prescribed dosage of one or more drugs). 

§ 2.13 Confidentiality restrictions and safeguards. 

(a) General. The patient records subject to the regulations in this part may be disclosed or 
used only as permitted by the regulations in this part and may not otherwise be disclosed or used 
in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, 
or local authority. Any disclosure made under the regulations in this part must be limited to that 


information which is necessary to carry out the purpose of the disclosure. 
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(b) Unconditional compliance required. The restrictions on disclosure and use in the 





regulations in this part apply whether or not the part 2 program or other lawful holder of the 
patient identifying information believes that the person seeking the information already has it, 
has other means of obtaining it, is a law enforcement agency or official or other government 
official, has obtained a subpoena, or asserts any other justification for a disclosure or use which 


is not permitted by the regulations in this part. 





(c) Acknowledging the presence of patients: Responding to requests. (1) The presence of 
an identified patient in a health care facility or component of a health care facility which is 
publicly identified as a place where only substance use disorder diagnosis, treatment, or referral 
for treatment is provided may be acknowledged only if the patient's written consent is obtained 
in accordance with subpart C of this part or if an authorizing court order is entered in accordance 
with subpart E of this part. The regulations permit acknowledgement of the presence of an 
identified patient in a health care facility or part of a health care facility if the health care facility 
is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for 
treatment facility, and if the acknowledgement does not reveal that the patient has a substance 
use disorder. 

(2) Any answer to a request for a disclosure of patient records which is not permissible 
under the regulations in this part must be made in a way that will not affirmatively reveal that an 
identified individual has been, or is being, diagnosed or treated for a substance use disorder. An 
inquiring party may be provided a copy of the regulations in this part and advised that they 
restrict the disclosure of substance use disorder patient records, but may not be told affirmatively 


that the regulations restrict the disclosure of the records of an identified patient. 
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(d) List of disclosures. Upon request, patients who have consented to disclose their 





patient identifying information using a general designation pursuant to § 2.31(a)(4)(11i)(B)(3) 
must be provided a list of entities to which their information has been disclosed pursuant to the 
general designation. 

(1) Under this paragraph (d), patient requests: 

(i) Must be made in writing; and 

(ii) Are limited to disclosures made within the past two years; 

(2) Under this paragraph (d), the entity named on the consent form that discloses 
information pursuant to a patient's general designation (the entity that serves as an intermediary, 
as described in § 2.31(a)(4)(ii1)(B)) must: 

(i) Respond in 30 or fewer days of receipt of the written request; and 

(11) Provide, for each disclosure, the name(s) of the entity(-ies) to which the disclosure 
was made, the date of the disclosure, and a brief description of the patient identifying 
information disclosed. 

(3) The part 2 program is not responsible for compliance with this paragraph (d); the 
entity that serves as an intermediary, as described in § 2.31(a)(4)(ii)(B), is responsible for 
compliance with the list of disclosures requirement. 


§ 2.14 Minor patients. 


(a) State law not requiring parental consent to treatment. If a minor patient acting alone 





has the legal capacity under the applicable state law to apply for and obtain substance use 
disorder treatment, any written consent for disclosure authorized under subpart C of this part 
may be given only by the minor patient. This restriction includes, but is not limited to, any 


disclosure of patient identifying information to the parent or guardian of a minor patient for the 
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purpose of obtaining financial reimbursement. These regulations do not prohibit a part 2 program 
from refusing to provide treatment until the minor patient consents to the disclosure necessary to 
obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local 
law requiring the program to furnish the service irrespective of ability to pay. 


(b) State law requiring parental consent to treatment. (1) Where state law requires consent 





of a parent, guardian, or other individual for a minor to obtain treatment for a substance use 
disorder, any written consent for disclosure authorized under subpart C of this part must be given 
by both the minor and their parent, guardian, or other individual authorized under state law to act 
in the minor's behalf. 

(2) Where state law requires parental consent to treatment, the fact of a minor's 
application for treatment may be communicated to the minor's parent, guardian, or other 
individual authorized under state law to act in the minor's behalf only if: 

(i) The minor has given written consent to the disclosure in accordance with subpart C of 
this part; or 

(ii) The minor lacks the capacity to make a rational choice regarding such consent as 
judged by the part 2 program director under paragraph (c) of this section. 


(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to 





reducing a substantial threat to the life or physical well-being of the minor applicant or any other 
individual may be disclosed to the parent, guardian, or other individual authorized under state 
law to act in the minor's behalf if the part 2 program director judges that: 

(1) A minor applicant for services lacks capacity because of extreme youthor mental or 


physical condition to make a rational decision on whether to consent to a disclosure under 
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subpart C of this part to their parent, guardian, or other individual authorized under state law to 
act in the minor's behalf; and 

(2) The minor applicant's situation poses a substantial threat to the life or physical well- 
being of the minor applicant or any other individual which may be reduced by communicating 
relevant facts to the minor's parent, guardian, or other individual authorized under state law to act 
in the minor's behalf. 


§ 2.15 Incompetent and deceased patients. 


(a) Incompetent patients other than minors—(1) Adjudication of incompetence. In the 








case of a patient who has been adjudicated as lacking the capacity, for any reason other than 
insufficient age, to their own affairs, any consent which is required under the regulations in this 
part may be given by the guardian or other individual authorized under state law to act in the 
patient's behalf. 


(2) No adjudication of incompetency. In the case of a patient, other than a minor or one 





who has been adjudicated incompetent, that for any period suffers from a medical condition that 
prevents knowing or effective action on their own behalf, the part 2 program director may 
exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole 
purpose of obtaining payment for services from a third-party payer. 


(b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure 





of patient identifying information relating to the cause of death of a patient under laws requiring 
the collection of death or other vital statistics or permitting inquiry into the cause of death. 


(2) Consent by personal representative. Any other disclosure of information identifying a 





deceased patient as having a substance use disorder is subject to the regulations in this part. If a 


written consent to the disclosure is required, that consent may be given by an executor, 
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administrator, or other personal representative appointed under applicable state law. If there is no 
such applicable state law appointment, the consent may be given by the patient's spouse or, if 
none, by any responsible member of the patient's family. 

§ 2.16 Security for records. 

(a) The part 2 program or other lawful holder of patient identifying information must 
have in place formal policies and procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against reasonably anticipated 
threats or hazards to the security of patient identifying information. These formal policies and 
procedures must address: 

(1) Paper records, including: 

(i) Transferring and removing such records; 

(ii) Destroying such records, including sanitizing the hard copy media associated with the 
paper printouts, to render the patient identifying information non-retrievable; 

(i111) Maintaining such records in a secure room, locked file cabinet, safe, or other similar 
container, or storage facility when not in use; 

(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other 
similar containers, and storage facilities that use or store such information; and 

(v) Rendering patient identifying information non-identifiable in a manner that creates a 
very low risk of re-identification (e.g., removing direct identifiers). 

(2) Electronic records, including: 

(i) Creating, receiving, maintaining, and transmitting such records; 

(ii) Destroying such records, including sanitizing the electronic media on which such 


records are stored, to render the patient identifying information non-retrievable;(iii) Using and 
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accessing electronic records or other electronic media containing patient identifying information; 
and 

(iv) Rendering the patient identifying information non-identifiable in a manner that 
creates a very low risk of re-identification (e.g., removing direct identifiers). 


(b) [Reserved] 


§ 2.17 Undercover agents and informants. 





(a) Restrictions on placement. Except as specifically authorized by a court order granted 
under § 2.67, no part 2 program may knowingly employ, or enroll as a patient, any undercover 
agent or informant. 


(b) Restriction on use of information. No information obtained by an undercover agent or 





informant, whether or not that undercover agent or informant is placed in a part 2 program 
pursuant to an authorizing court order, may be used to criminally investigate or prosecute any 
patient. 

§ 2.18 Restrictions on the use of identification cards. 

No person may require any patient to carry in their immediate possession while away 
from the part 2 program premises any card or other object which would identify the patient as 
having a substance use disorder. This section does not prohibit a person from requiring patients 
to use or carry cards or other identification objects on the premises of a part 2 program. 

§ 2.19 Disposition of records by discontinued programs. 

(a) General. If a part 2 program discontinues operations or is taken over or acquired by 

another program, it must remove patient identifying information from its records or destroy its 


records, including sanitizing any associated hard copy or electronic media, to render the patient 
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identifying information non-retrievable in a manner consistent with the policies and procedures 
established under § 2.16, unless: 

(1) The patient who is the subject of the records gives written consent (meeting the 
requirements of § 2.31) to a transfer of the records to the acquiring program or to any other 
program designated in the consent (the manner of obtaining this consent must minimize the 
likelihood of a disclosure of patient identifying information to a third party); or 

(2) There is a legal requirement that the records be kept for a period specified by law 
which does not expire until after the discontinuation or acquisition of the part 2 program. 


(b) Special procedure where retention period required by law. If paragraph (a)(2) of this 





section applies: 

(1) Records, which are paper, must be: 

(1) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of 
program] required to be maintained under [insert citation to statute, regulation, court order or 
other legal authority requiring that records be kept] until a date not later than [insert appropriate 
date]”’; 

(A) All hard copy media from which the paper records were produced, such as printer 
and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable; and 

(B) [Reserved] 

(ii) Held under the restrictions of the regulations in this part by a responsible person who 
must, as soon as practicable after the end of the required retention period specified on the label, 
destroy the records and sanitize any associated hard copy media to render the patient identifying 
information non-retrievable in a manner consistent with the discontinued program's or acquiring 


program's policies and procedures established under § 2.16. 
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(2) Records, which are electronic, must be: 

(i) Transferred to a portable electronic device with implemented encryption to encrypt the 
data at rest so that there is a low probability of assigning meaning without the use of a 
confidential process or key and implemented access controls for the confidential process or key; 
or 

(ii) Transferred, along with a backup copy, to separate electronic media, so that both the 
records and the backup copy have implemented encryption to encrypt the data at rest so that 
there is a low probability of assigning meaning without the use of a confidential process or key 
and implemented access controls for the confidential process or key; and 

(ii1) Within one year of the discontinuation or acquisition of the program, all electronic 
media on which the patient records or patient identifying information resided prior to being 
transferred to the device specified in (i) above or the original and backup electronic media 
specified in (11) above, including email and other electronic communications, must be sanitized 
to render the patient identifying information non-retrievable in a manner consistent with the 
discontinued program's or acquiring program's policies and procedures established under § 2.16; 
and 

(iv) The portable electronic device or the original and backup electronic media must be: 

(A) Sealed in a container along with any equipment needed to read or access the 
information, and labeled as follows: “Records of [insert name of program] required to be 
maintained under [insert citation to statute, regulation, court order or other legal authority 


requiring that records be kept] until a date not later than [insert appropriate date];” and 
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(B) Held under the restrictions of the regulations in this part by a responsible person who 
must store the container in a manner that will protect the information (e.g., climate controlled 
environment); and 

(v) The responsible person must be included on the access control list and be provided a 
means for decrypting the data. The responsible person must store the decryption tools on a 
device or at a location separate from the data they are used to encrypt or decrypt; and 

(vi) As soon as practicable after the end of the required retention period specified on the 
label, the portable electronic device or the original and backup electronic media must be 
sanitized to render the patient identifying information non-retrievable consistent with the policies 
established under § 2.16. 

§ 2.20 Relationship to state laws. 

The statute authorizing the regulations in this part (42 U.S.C. 290dd-2) does not preempt 
the field of law which they cover to the exclusion of all state laws in that field. If a disclosure 
permitted under the regulations in this part is prohibited under state law, neither the regulations 
in this part nor the authorizing statute may be construed to authorize any violation of that state 
law. However, no state law may either authorize or compel any disclosure prohibited by the 


regulations in this part. 


§ 2.21 Relationship to federal statutes protecting research subjects against compulsory 


disclosure of their identity. 


(a) Research privilege description. There may be concurrent coverage of patient 





identifying information by the regulations in this part and by administrative action taken under 
section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing 


regulations at 21 CFR part 1316); or section 301(d) of the Public Health Service Act (42 U.S.C. 
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241(d) and the implementing regulations at 42 CFR part 2a). These research privilege statutes 
confer on the Secretary of Health and Human Services and on the Attorney General, 
respectively, the power to authorize researchers conducting certain types of research to withhold 
from all persons not connected with the research the names and other identifying information 
concerning individuals who are the subjects of the research. 


(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of 





information about patients, while administrative action taken under the research privilege statutes 
and implementing regulations protects a person engaged in applicable research from being 
compelled to disclose any identifying characteristics of the individuals who are the subjects of 
that research. The issuance under subpart E of this part of a court order authorizing a disclosure 
of information about a patient does not affect an exercise of authority under these research 
privilege statutes. 


§ 2.22 Notice to patients of federal confidentiality requirements. 


(a) Notice required. At the time of admission to a part 2 program or, in the case that a 





patient does not have capacity upon admission to understand his or her medical status, as soon 
thereafter as the patient attains such capacity, each part 2 program shall: 

(1) Communicate to the patient that federal law and regulations protect the confidentiality 
of substance use disorder patient records; and 

(2) Give to the patient a summary in writing of the federal law and regulations. 


(b) Required elements of written summary. The written summary of the federal law and 





regulations must include: 
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(1) A general description of the limited circumstances under which a part 2 program may 
acknowledge that an individual is present or disclose outside the part 2 program information 
identifying a patient as having or having had a substance use disorder; 

(2) A statement that violation of the federal law and regulations by a part 2 program is a 
crime and that suspected violations may be reported to appropriate authorities consistent with 
§ 2.4, along with contact information; 

(3) A statement that information related to a patient's commission of a crime on the 
premises of the part 2 program or against personnel of the part 2 program is not protected; 

(4) A statement that reports of suspected child abuse and neglect made under state law to 
appropriate state or local authorities are not protected; and 

(5) A citation to the federal law and regulations. 


(c) Program options. The part 2 program must devise a notice to comply with the 





requirement to provide the patient with a summary in writing of the federal law and regulations. 
In this written summary, the part 2 program also may include information concerning state law 
and any of the part 2 program's policies that are not inconsistent with state and federal law on the 
subject of confidentiality of substance use disorder patient records. 


§ 2.23 Patient access and restrictions on use. 


(a) Patient access not prohibited. These regulations do not prohibit a part 2 program from 





giving a patient access to their own records, including the opportunity to inspect and copy any 
records that the part 2 program maintains about the patient. The part 2 program is not required to 
obtain a patient's written consent or other authorization under the regulations in this part in order 


to provide such access to the patient. 


268 


(b) Restriction on use of information. Information obtained by patient access to his or her 





patient record is subject to the restriction on use of this information to initiate or substantiate any 
criminal charges against the patient or to conduct any criminal investigation of the patient as 


provided for under § 2.12(d)(1). 


Subpart C—Disclosures With Patient Consent 


§ 2.31 Consent requirements. 


(a) Required elements for written consent. A written consent to a disclosure under the 





regulations in this part may be paper or electronic and must include: 

(1) The name of the patient. 

(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or 
individual(s) permitted to make the disclosure. 

(3) How much and what kind of information is to be disclosed, including an explicit 
description of the substance use disorder information that may be disclosed. 

(4)(i) The name(s) of the individual(s) to whom a disclosure is to be made; or 


(ii) Entities with a treating provider relationship with the patient. If the recipient entity 





has a treating provider relationship with the patient whose information is being disclosed, such as 
a hospital, a health care clinic, or a private practice, the name of that entity; or 


(ii1) Entities without a treating provider relationship with the patient. 





(A) If the recipient entity does not have a treating provider relationship with the patient 
whose information is being disclosed and is a third-party payer, the name of the entity; or 
(B) If the recipient entity does not have a treating provider relationship with the patient 


whose information is being disclosed and is not covered by paragraph (a)(4)(i1i)(A) of this 
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section, such as an entity that facilitates the exchange of health information or a research 
institution, the name(s) of the entity(-ies); and 

(1) The name(s) of an individual participant(s); or 

(2) The name(s) of an entity participant(s) that has a treating provider relationship with 
the patient whose information is being disclosed; or 

(3) A general designation of an individual or entity participant(s) or class of participants 
that must be limited to a participant(s) who has a treating provider relationship with the patient 
whose information is being disclosed. 

(i) When using a general designation, a statement must be included on the consent form 
that the patient (or other individual authorized to sign in lieu of the patient), confirms their 
understanding that, upon their request and consistent with this part, they must be provided a list 
of entities to which their information has been disclosed pursuant to the general designation (see 
§ 2.13(d)). 

(ii) [Reserved] 

(5) The purpose of the disclosure. In accordance with § 2.13(a), the disclosure must be 
limited to that information which is necessary to carry out the stated purpose. 

(6) A statement that the consent is subject to revocation at any time except to the extent 
that the part 2 program or other lawful holder of patient identifying information that is permitted 
to make the disclosure has already acted in reliance on it. Acting in reliance includes the 


provision of treatment services in reliance on a valid consent to disclose information to a third- 


party payer 
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(7) The date, event, or condition upon which the consent will expire if not revoked 
before. This date, event, or condition must ensure that the consent will last no longer than 
reasonably necessary to serve the purpose for which it is provided. 

(8) The signature of the patient and, when required for a patient who is a minor, the 
signature of an individual authorized to give consent under § 2.14; or, when required for a patient 
who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. 
Electronic signatures are permitted to the extent that they are not prohibited by any applicable 
law. 

(9) The date on which the consent is signed. 


(b) Expired, deficient, or false consent. A disclosure may not be made on the basis of a 





consent which: 

(1) Has expired; 

(2) On its face substantially fails to conform to any of the requirements set forth in 
paragraph (a) of this section; 

(3) Is known to have been revoked; or 

(4) Is known, or through reasonable diligence could be known, by the individual or entity 
holding the records to be materially false. 


§ 2.32 Prohibition on re-disclosure. 


(a) Notice to accompany disclosure. Each disclosure made with the patient's written 





consent must be accompanied by the following written statement: This information has been 
disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The 
federal rules prohibit you from making any further disclosure of information in this record that 


identifies a patient as having or having had a substance use disorder either directly, by reference 
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to publicly available information, or through verification of such identification by another person 
unless further disclosure is expressly permitted by the written consent of the individual whose 
information is being disclosed or as otherwise permitted by 42 CFR part 2. A general 
authorization for the release of medical or other information is NOT sufficient for this purpose 
(see § 2.31). The federal rules restrict any use of the information to investigate or prosecute with 
regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) 
and 2.65. 

(b) [Reserved] 
§ 2.33 Disclosures permitted with written consent. 

If a patient consents to a disclosure of their records under § 2.31, a program may disclose 
those records in accordance with that consent to any person identified in the consent, except that 
disclosures to central registries and in connection with criminal justice referrals must meet the 
requirements of §§ 2.34 and 2.35, respectively. 


§ 2.34 Disclosures to prevent multiple enrollments. 


(a) Restrictions on disclosure. A part 2 program, as defined in § 2.11, may disclose 





patient records to a central registry or to any withdrawal management or maintenance treatment 
program not more than 200 miles away for the purpose of preventing the multiple enrollment of 
a patient only if: 

(1) The disclosure is made when: 

(i) The patient is accepted for treatment; 

(ii) The type or dosage of the drug is changed; or 

(iii) The treatment is interrupted, resumed or terminated. 


(2) The disclosure is limited to: 
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(i) Patient identifying information; 

(ii) Type and dosage of the drug; and 

(iii) Relevant dates. 

(3) The disclosure is made with the patient's written consent meeting the requirements of 
§ 2.31, except that: 

(i) The consent must list the name and address of each central registry and each known 
withdrawal management or maintenance treatment program to which a disclosure will be made; 
and 

(ii) The consent may authorize a disclosure to any withdrawal management or 
maintenance treatment program established within 200 miles of the program, but does not need 
to individually name all programs.. 


(b) Use of information limited to prevention of multiple enrollments. A central registry 





and any withdrawal management or maintenance treatment program to which information is 
disclosed to prevent multiple enrollments may not re-disclose or use patient identifying 
information for any purpose other than the prevention of multiple enrollments unless authorized 
by a court order under subpart E of this part. 


(c) Permitted disclosure by a central registry to prevent a multiple enrollment. When a 





member program asks a central registry if an identified patient is enrolled in another member 
program and the registry determines that the patient is so enrolled, the registry may disclose: 
(1) The name, address, and telephone number of the member program(s) in which the 
patient is already enrolled to the inquiring member program; and 
(2) The name, address, and telephone number of the inquiring member program to the 


member program(s) in which the patient is already enrolled. The member programs may 
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communicate as necessary to verify that no error has been made and to prevent or eliminate any 
multiple enrollments. 


(d) Permitted disclosure by a withdrawal management or maintenance treatment program 





to prevent a multiple enrollment. A withdrawal management or maintenance treatment program 





which has received a disclosure under this section and has determined that the patient is already 
enrolled may communicate as necessary with the program making the disclosure to verify that no 
error has been made and to prevent or eliminate any multiple enrollments. 


2.35 Disclosures to elements of the criminal justice system which have referred patients. 





(a) A part 2 program may disclose information about a patient to those individuals within 
the criminal justice system who have made participation in the part 2 program a condition of the 
disposition of any criminal proceedings against the patient or of the patient's parole or other 
release from custody if: 

(1) The disclosure is made only to those individuals within the criminal justice system 
who have a need for the information in connection with their duty to monitor the patient's 
progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court 
granting pretrial or post-trial release, probation or parole officers responsible for supervision of 
the patient); and 

(2) The patient has signed a written consent meeting the requirements of § 2.31 (except 
paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this 
section) and the requirements of paragraphs (b) and (c) of this section. 


(b) Duration of consent. The written consent must state the period during which it 





remains in effect. This period must be reasonable, taking into account: 


(1) The anticipated length of the treatment; 
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(2) The type of criminal proceeding involved, the need for the information in connection 
with the final disposition of that proceeding, and when the final disposition will occur; and 

(3) Such other factors as the part 2 program, the patient, and the individual(s) within the 
criminal justice system who will receive the disclosure consider pertinent. 


(c) Revocation of consent. The written consent must state that it is revocable upon the 





passage of a specified amount of time or the occurrence of a specified, ascertainable event. The 
time or occurrence upon which consent becomes revocable may be no later than the final 
disposition of the conditional release or other action in connection with which consent was 
given. 


(d) Restrictions on re-disclosure and use. An individual within the criminal justice system 





who receives patient information under this section may re-disclose and use it only to carry out 
that individual's official duties with regard to the patient's conditional release or other action in 


connection with which the consent was given. 


Subpart D—Disclosures Without Patient Consent 
§ 2.51 Medical emergencies. 

(a) General rule. Under the procedures required by paragraph (c) of this section, patient 
identifying information may be disclosed to medical personnel to the extent necessary to meet a 
bona fide medical emergency in which the patient's prior informed consent cannot be obtained. 

(b) Special rule. Patient identifying information may be disclosed to medical personnel of 
the Food and Drug Administration (FDA) who assert a reason to believe that the health of any 


individual may be threatened by an error in the manufacture, labeling, or sale of a product under 
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FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying 
patients or their physicians of potential dangers. 

(c) Procedures. Immediately following disclosure, the part 2 program shall document, in 
writing, the disclosure in the patient's records, including: 

(1) The name of the medical personnel to whom disclosure was made and their affiliation 
with any health care facility; 

(2) The name of the individual making the disclosure; 

(3) The date and time of the disclosure; and 

(4) The nature of the emergency (or error, if the report was to FDA). 

§ 2.52 Research. 

(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this 
section, patient identifying information may be disclosed by the part 2 program or other lawful 
holder of part 2 data, for the purpose of conducting scientific research if the individual 
designated as director or managing director, or individual otherwise vested with authority to act 
as chief executive officer or their designee makes a determination that the recipient of the patient 
identifying information: 

(1) If a HIPAA-covered entity or business associate, has obtained and documented 
authorization from the patient, or a waiver or alteration of authorization, consistent with the 
HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable; or 

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR 
part 46), either provides documentation that the researcher is in compliance with the 


requirements of the HHS regulations, including the requirements related to informed consent or a 
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waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under 
the HHS regulations (45 CFR 46.101(b) and any successor regulations; or 

(3) If both a HIPAA covered entity or business associate and subject to the HHS 
regulations regarding the protection of human subjects, has met the requirements of paragraphs 
(a)(1) and (2) of this section; and 

(4) If neither a HIPAA covered entity or business associate or subject to the HHS 
regulations regarding the protection of human subjects, this section does not apply. 

(b) Any individual or entity conducting scientific research using patient identifying 
information obtained under paragraph (a) of this section: 

(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial 
proceedings any efforts to obtain access to patient records except as permitted by the regulations 
in this part. 

(2) Must not re-disclose patient identifying information except back to the individual or 
entity from whom that patient identifying information was obtained or as permitted under 
paragraph (c) of this section. 

(3) May include part 2 data in research reports only in aggregate form in which patient 
identifying information has been rendered non-identifiable such that the information cannot be 
re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as 
having or having had a substance use disorder. 

(4) Must maintain and destroy patient identifying information in accordance with the 
security policies and procedures established under § 2.16. 

(5) Must retain records in compliance with applicable federal, state, and local record 


retention laws. 
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(c) Data linkages—(1) Researchers. Any individual or entity conducting scientific 





research using patient identifying information obtained under paragraph (a) of this section that 
requests linkages to data sets from a data repository(-ies) holding patient identifying information 
must: 

(i) Have the request reviewed and approved by an Institutional Review Board (IRB) 
registered with the Department of Health and Human Services, Office for Human Research 
Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and 
the need for identifiable data is justified. Upon request, the researcher may be required to provide 
evidence of the IRB approval of the research project that contains the data linkage component. 

(ii) Ensure that patient identifying information obtained under paragraph (a) of this 


section is not provided to law enforcement agencies or officials. 





(2) Data repositories. For purposes of this section, a data repository is fully bound by the 
provisions of part 2 upon receipt of the patient identifying data and must: 

(i) After providing the researcher with the linked data, destroy or delete the linked data 
from its records, including sanitizing any associated hard copy or electronic media, to render the 
patient identifying information non-retrievable in a manner consistent with the policies and 
procedures established under § 2.16 Security for records. 

(ii) Ensure that patient identifying information obtained under paragraph (a) of this 
section is not provided to law enforcement agencies or officials. 

(2) Except as provided in paragraph (c) of this section, a researcher may not redisclose 


patient identifying information for data linkages purposes. 


§ 2.53 Audit and evaluation. 
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(a) Records not copied or removed. If patient records are not downloaded, copied or 





removed from the part 2 program premises or forwarded electronically to another electronic 
system or device, patient identifying information, as defined in § 2.11, may be disclosed in the 
course of a review of records on the part 2 program premises to any individual or entity who 
agrees in writing to comply with the limitations on re-disclosure and use in paragraph (d) of this 
section and who: 

(1) Performs the audit or evaluation on behalf of: 

(i) Any federal, state, or local government agency which provides financial assistance to 
the part 2 program or is authorized by law to regulate its activities; or 

(ii) Any individual or entity who provides financial assistance to the part 2 program, 
which is a third-party payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a utilization or quality control review; or 

(2) Is determined by the part 2 program to be qualified to conduct an audit or evaluation 
of the part 2 program. 


(b) Copying, removing, downloading, or forwarding patient records. Records containing 





patient identifying information, as defined in § 2.11, may be copied or removed from a part 2 
program premises or downloaded or forwarded to another electronic system or device from the 
part 2 program's electronic records by any individual or entity who: 

(1) Agrees in writing to: 

(i) Maintain and destroy the patient identifying information in a manner consistent with 
the policies and procedures established under § 2.16; 

(ii) Retain records in compliance with applicable federal, state, and local record retention 


laws; and 
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(111) Comply with the limitations on disclosure and use in paragraph (d) of this section; 
and 

(2) Performs the audit or evaluation on behalf of: 

(i) Any federal, state, or local government agency which provides financial assistance to 
the part 2 program or is authorized by law to regulate its activities; or 

(ii) Any individual or entity who provides financial assistance to the part 2 program, 
which is a third-party payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a utilization or quality control review. 


(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or 





evaluation. (1) Patient identifying information, as defined in § 2.11, may be disclosed under 
paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, 
Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the 
requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care 
organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS- 
regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the 
following: 

(i) Maintain and destroy the patient identifying information in a manner consistent with 
the policies and procedures established under § 2.16; 

(ii) Retain records in compliance with applicable federal, state, and local record retention 
laws; and 

(111) Comply with the limitations on disclosure and use in paragraph (d) of this section. 

(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil 


or administrative investigation of a part 2 program by any federal, state, or local government 
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agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes 
administrative enforcement, against the part 2 program by the government agency, of any 
remedy authorized by law to be imposed as a result of the findings of the investigation. 

(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO 
or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in 
accordance with the following: 

(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS- 
regulated QE) must: 

(A) Have in place administrative and/or clinical systems; and 

(B) Have in place a leadership and management structure, including a governing body 
and chief executive officer with responsibility for oversight of the organization's management 
and for ensuring compliance with and adherence to the terms and conditions of the Participation 
Agreement or similar documentation with CMS; and 

(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS- 
regulated QE) must have a signed Participation Agreement or similar documentation with CMS, 
which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a 
CMS-regulated QE): 

(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to 
evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization 
(including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost 
measures; 

(B) Must designate an executive who has the authority to legally bind the organization to 


ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the 
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Participation Agreement in order to receive patient identifying information from CMS or its 
agents; 

(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part; 

(D) Must ensure that any audit or evaluation involving patient identifying information 
occurs in a confidential and controlled setting approved by the designated executive; 

(E) Must ensure that any communications or reports or other documents resulting from an 
audit or evaluation under this section do not allow for the direct or indirect identification (e.g., 
through the use of codes) of a patient as having or having had a substance use disorder; and 

(F) Must establish policies and procedures to protect the confidentiality of the patient 
identifying information consistent with this part, the terms and conditions of the Participation 
Agreement, and the requirements set forth in paragraph (c)(1) of this section. 

(4) Program, as defined in § 2.11, includes an employee of, or provider of medical 
services under the program when the employee or provider is the subject of a civil investigation 
or administrative remedy, as those terms are used in paragraph (c)(2) of this section. 

(5) If a disclosure to an individual or entity is authorized under this section for a 
Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or 
administrative remedy, as those terms are used in paragraph (c)(2) of this section, then a quality 
improvement organization which obtains the information under paragraph (a) or (b) of this 
section may disclose the information to that individual or entity but only for the purpose of 
conducting a Medicare, Medicaid, or CHIP audit or evaluation. 

(6) The provisions of this paragraph do not authorize the part 2 program, the federal, 


state, or local government agency, or any other individual or entity to disclose or use patient 
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identifying information obtained during the audit or evaluation for any purposes other than those 
necessary to complete the audit or evaluation as specified in paragraph (c) of this section. 


(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, 





patient identifying information disclosed under this section may be disclosed only back to the 
program from which it was obtained and used only to carry out an audit or evaluation purpose or 
to investigate or prosecute criminal or other activities, as authorized by a court order entered 


under § 2.66. 


Subpart E—Court Orders Authorizing Disclosure and Use 
§ 2.61 Legal effect of order. 

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a 
unique kind of court order. Its only purpose is to authorize a disclosure or use of patient 
information which would otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in 
this part. Such an order does not compel disclosure. A subpoena or a similar legal mandate must 
be issued in order to compel disclosure. This mandate may be entered at the same time as and 
accompany an authorizing court order entered under the regulations in this part. 

(b) Examples. (1) A person holding records subject to the regulations in this part receives 
a subpoena for those records. The person may not disclose the records in response to the 
subpoena unless a court of competent jurisdiction enters an authorizing order under the 
regulations in this part. 

(2) An authorizing court order is entered under the regulations in this part, but the person 
holding the records does not want to make the disclosure. If there is no subpoena or other 


compulsory process or a subpoena for the records has expired or been quashed, that person may 
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refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process 
the person holding the records must disclose, unless there is a valid legal defense to the process 
other than the confidentiality restrictions of the regulations in this part. 

§ 2.62 Order not applicable to records disclosed without consent to researchers, auditors 
and evaluators. 

A court order under the regulations in this part may not authorize qualified personnel, 
who have received patient identifying information without consent for the purpose of conducting 
research, audit or evaluation, to disclose that information or use it to conduct any criminal 
investigation or prosecution of a patient. However, a court order under § 2.66 may authorize 
disclosure and use of records to investigate or prosecute qualified personnel holding the records. 
§ 2.63 Confidential communications. 

(a) A court order under the regulations in this part may authorize disclosure of 
confidential communications made by a patient to a part 2 program in the course of diagnosis, 
treatment, or referral for treatment only if: 

(1) The disclosure is necessary to protect against an existing threat to life or of serious 
bodily injury, including circumstances which constitute suspected child abuse and neglect and 
verbal threats against third parties; 

(2) The disclosure is necessary in connection with investigation or prosecution of an 
extremely serious crime allegedly committed by the patient, such as one which directly threatens 
loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault 


with a deadly weapon, or child abuse and neglect; or 


284 


(3) The disclosure is in connection with litigation or an administrative proceeding in 
which the patient offers testimony or other evidence pertaining to the content of the confidential 
communications. 

(b) [Reserved] 


2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes. 





(a) Application. An order authorizing the disclosure of patient records for purposes other 


than criminal investigation or prosecution may be applied for by any person having a legally 
recognized interest in the disclosure which is sought. The application may be filed separately or 
as part of a pending civil action in which the applicant asserts that the patient records are needed 
to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any 
patient and may not contain or otherwise disclose any patient identifying information unless the 
patient is the applicant or has given written consent (meeting the requirements of the regulations 
in this part) to disclosure or the court has ordered the record of the proceeding sealed from public 
scrutiny. 

(b) Notice. The patient and the person holding the records from whom disclosure is 
sought must be provided: 

(1) Adequate notice in a manner which does not disclose patient identifying information 
to other persons; and 

(2) An opportunity to file a written response to the application, or to appear in person, for 
the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance 
of the court order as described in § 2.64(d). 


(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or 





hearing on the application must be held in the judge's chambers or in some manner which 
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ensures that patient identifying information is not disclosed to anyone other than a party to the 
proceeding, the patient, or the person holding the record, unless the patient requests an open 
hearing in a manner which meets the written consent requirements of the regulations in this part. 
The proceeding may include an examination by the judge of the patient records referred to in the 
application. 


(d) Criteria for entry of order. An order under this section may be entered only if the 





court determines that good cause exists. To make this determination the court must find that: 
(1) Other ways of obtaining the information are not available or would not be effective; 
and 
(2) The public interest and need for the disclosure outweigh the potential injury to the 
patient, the physician-patient relationship and the treatment services. 


(e) Content of order. An order authorizing a disclosure must: 





(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the 
objective of the order; 

(2) Limit disclosure to those persons whose need for information is the basis for the 
order; and 

(3) Include such other measures as are necessary to limit disclosure for the protection of 
the patient, the physician-patient relationship and the treatment services; for example, sealing 
from public scrutiny the record of any proceeding for which disclosure of a patient's record has 


been ordered. 


§ 2.65 Procedures and criteria for orders authorizing disclosure and use of records to 


criminally investigate or prosecute patients. 
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(a) Application. An order authorizing the disclosure or use of patient records to 
investigate or prosecute a patient in connection with a criminal proceeding may be applied for by 
the person holding the records or by any law enforcement or prosecutorial officials who are 
responsible for conducting investigative or prosecutorial activities with respect to the 
enforcement of criminal laws. The application may be filed separately, as part of an application 
for a subpoena or other compulsory process, or in a pending criminal action. An application must 
use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise 
disclose patient identifying information unless the court has ordered the record of the proceeding 
sealed from public scrutiny. 


(b) Notice and hearing. Unless an order under § 2.66 is sought in addition to an order 





under this section, the person holding the records must be provided: 

(1) Adequate notice (in a manner which will not disclose patient identifying information 
to other persons) of an application by a law enforcement agency or official; 

(2) An opportunity to appear and be heard for the limited purpose of providing evidence 
on the statutory and regulatory criteria for the issuance of the court order as described in 
§ 2.65(d); and 

(3) An opportunity to be represented by counsel independent of counsel for an applicant 
who is a law enforcement agency or official. 


(c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or 





hearing on the application shall be held in the judge's chambers or in some other manner which 
ensures that patient identifying information is not disclosed to anyone other than a party to the 
proceedings, the patient, or the person holding the records. The proceeding may include an 


examination by the judge of the patient records referred to in the application. 
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(d) Criteria. A court may authorize the disclosure and use of patient records for the 





purpose of conducting a criminal investigation or prosecution of a patient only if the court finds 
that all of the following criteria are met: 

(1) The crime involved is extremely serious, such as one which causes or directly 
threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed 
robbery, assault with a deadly weapon, and child abuse and neglect. 

(2) There is a reasonable likelihood that the records will disclose information of 
substantial value in the investigation or prosecution. 

(3) Other ways of obtaining the information are not available or would not be effective. 

(4) The potential injury to the patient, to the physician-patient relationship and to the 
ability of the part 2 program to provide services to other patients is outweighed by the public 
interest and the need for the disclosure. 

(5) If the applicant is a law enforcement agency or official, that: 

(i) The person holding the records has been afforded the opportunity to be represented by 
independent counsel; and 

(ii) Any person holding the records which is an entity within federal, state, or local 
government has in fact been represented by counsel independent of the applicant. 


(e) Content of order. Any order authorizing a disclosure or use of patient records under 





this section must: 

(1) Limit disclosure and use to those parts of the patient's record which are essential to 
fulfill the objective of the order; 

(2) Limit disclosure to those law enforcement and prosecutorial officials who are 


responsible for, or are conducting, the investigation or prosecution, and limit their use of the 
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records to investigation and prosecution of the extremely serious crime or suspected crime 
specified in the application; and 
(3) Include such other measures as are necessary to limit disclosure and use to the 


fulfillment of only that public interest and need found by the court. 


§ 2.66 Procedures and criteria for orders authorizing disclosure and use of records to 


investigate or prosecute a part 2 program or the person holding the records. 


(a) Application. (1) An order authorizing the disclosure or use of patient records to 
investigate or prosecute a part 2 program or the person holding the records (or employees or 
agents of that part 2 program or person holding the records) in connection with a criminal or 
administrative matter may be applied for by any administrative, regulatory, supervisory, 
investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or 
person's activities. 

(2) The application may be filed separately or as part of a pending civil or criminal action 
against a part 2 program or the person holding the records (or agents or employees of the part 2 
program or person holding the records) in which the applicant asserts that the patient records are 
needed to provide material evidence. The application must use a fictitious name, such as John 
Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying 
information unless the court has ordered the record of the proceeding sealed from public scrutiny 
or the patient has provided written consent (meeting the requirements of § 2.31) to that 
disclosure. 


(b) Notice not required. An application under this section may, in the discretion of the 





court, be granted without notice. Although no express notice is required to the part 2 program, to 


the person holding the records, or to any patient whose records are to be disclosed, upon 
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implementation of an order so granted any of the above persons must be afforded an opportunity 
to seek revocation or amendment of that order, limited to the presentation of evidence on the 
statutory and regulatory criteria for the issuance of the court order in accordance with § 2.66(c). 


(c) Requirements for order. An order under this section must be entered in accordance 





with, and comply with the requirements of, paragraphs (d) and (e) of § 2.64. 


(d) Limitations on disclosure and use of patient identifying information. (1) An order 





entered under this section must require the deletion of patient identifying information from any 
documents made available to the public. 

(2) No information obtained under this section may be used to conduct any investigation 
or prosecution of a patient in connection with a criminal matter, or be used as the basis for an 


application for an order under § 2.65. 


§ 2.67 Orders authorizing the use of undercover agents and informants to investigate 


employees or agents of a part 2 program in connection with a criminal matter. 


(a) Application. A court order authorizing the placement of an undercover agent or 
informant in a part 2 program as an employee or patient may be applied for by any law 
enforcement or prosecutorial agency which has reason to believe that employees or agents of the 
part 2 program are engaged in criminal misconduct. 


(b) Notice. The part 2 program director must be given adequate notice of the application 





and an opportunity to appear and be heard (for the limited purpose of providing evidence on the 
statutory and regulatory criteria for the issuance of the court order in accordance with § 2.67(c)), 
unless the application asserts that: 

(1) The part 2 program director is involved in the suspected criminal activities to be 


investigated by the undercover agent or informant; or 
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(2) The part 2 program director will intentionally or unintentionally disclose the proposed 
placement of an undercover agent or informant to the employees or agents of the program who 
are suspected of criminal activities. 

(c) Criteria. An order under this section may be entered only if the court determines that 
good cause exists. To make this determination the court must find all of the following: 

(1) There is reason to believe that an employee or agent of the part 2 program is engaged 
in criminal activity; 

(2) Other ways of obtaining evidence of the suspected criminal activity are not available 
or would not be effective; and 

(3) The public interest and need for the placement of an undercover agent or informant in 
the part 2 program outweigh the potential injury to patients of the part 2 program, physician- 
patient relationships and the treatment services. 


(d) Content of order. An order authorizing the placement of an undercover agent or 





informant in a part 2 program must: 

(1) Specifically authorize the placement of an undercover agent or an informant; 

(2) Limit the total period of the placement to six months; 

(3) Prohibit the undercover agent or informant from disclosing any patient identifying 
information obtained from the placement except as necessary to investigate or prosecute 
employees or agents of the part 2 program in connection with the suspected criminal activity; 
and 

(4) Include any other measures which are appropriate to limit any potential disruption of 


the part 2 program by the placement and any potential for a real or apparent breach of patient 
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confidentiality; for example, sealing from public scrutiny the record of any proceeding for which 
disclosure of a patient's record has been ordered. 


(e) Limitation on use of information. No information obtained by an undercover agent or 





informant placed in a part 2 program under this section may be used to investigate or prosecute 
any patient in connection with a criminal matter or as the basis for an application for an order 


under § 2.65. 


Dated: December 20, 2016. 
Kana Enomoto, 


Acting Deputy Assistant Secretary for Mental Health and Substance Use. 


Sylvia M. Burwell, 


Secretary. 
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